Networking/Procedures: Difference between revisions
From London Hackspace Wiki
(some small updates) |
(→Bootstrapping a new machine to a static ip: some quick fixes to refer to current setup, we still don't have adminstuff.) |
||
(3 intermediate revisions by one other user not shown) | |||
Line 78: | Line 78: | ||
Choose a hostname for your new machine. | Choose a hostname for your new machine. | ||
Log in to | Log in to dns vm (dns.lan.london.hackspace.org.uk), and as root cd /etc/bind, and edit lan.london.hackspace.org.uk. and db.10 to add your new host, remember the new static ip you choose. | ||
There is only a few static ip's left, you may end up needing to shrink the dhcp range and change the dhcpserver config on boole as well. | There is only a few static ip's left, you may end up needing to shrink the dhcp range and change the dhcpserver config on boole as well. | ||
Line 86: | Line 86: | ||
Check that the hostname works in fwd and reverse dns. | Check that the hostname works in fwd and reverse dns. | ||
and git commit your changes and log out of | and git commit your changes and log out of dns vm. | ||
on adminstuff edit /etc/ansible/hosts, add: | on adminstuff edit /etc/ansible/hosts, add: | ||
Line 138: | Line 138: | ||
* Ask them for an ssh pubkey, prefered username, and the email address they want to use. If they already have an LDAP account then use the same username and email! | * Ask them for an ssh pubkey, prefered username, and the email address they want to use. If they already have an LDAP account then use the same username and email! | ||
* Explain that they will get some automated emails from monitoring systems and cron tasks, if the emails indicate problems then they have a part of the responsibility to fix the problems :) | * Explain that they will get some automated emails from monitoring systems and cron tasks, if the emails indicate problems then they have a part of the responsibility to fix the problems :) | ||
* Point them at https:// | * Point them at https://github.com/londonhackspace/hackneyroad/issues encourage them to fix issues and add things that they think need fixing. (The Ansible repo has a separate set of issues) | ||
* On adminstuff add the ssh pubkey as <code>/etc/ansible/lhs/roles/common/files/<username>.pub</code> | * On adminstuff add the ssh pubkey as <code>/etc/ansible/lhs/roles/common/files/<username>.pub</code> | ||
* edit <code>/etc/ansible/lhs/vars/defaults.yml</code> and add there details under the users: section | * edit <code>/etc/ansible/lhs/vars/defaults.yml</code> and add there details under the users: section | ||
* run ansible as usual | * run ansible as usual | ||
* If it all works *don't forget to commit and push your changes* | |||
* on turing (which you may not have access to, if not ask a trustee to do it for you) | * on turing (which you may not have access to, if not ask a trustee to do it for you) | ||
** add there email to <code>london-hackspace-sysadmins</code> in <code>/etc/aliases</code> | ** add there email to <code>london-hackspace-sysadmins</code> in <code>/etc/aliases</code> | ||
** run <code>newaliases</code> | ** run <code>newaliases</code> | ||
** add them to the Admins LDAP group: <code>smbldap-groupmod -m <username> Admins</code> | ** add them to the Admins LDAP group: <code>smbldap-groupmod -m <username> Admins</code> | ||
* On github invite them to the "System Admins" Team. | |||
* Mention the #london-hack-space-dev and #london-hack-space-infrastructure irc channels on freenode. |
Latest revision as of 16:37, 19 October 2021
Network Related procedures
Ansible procedures
using Ansible with a Rasbperry Pi
dd raspbian image (traditionally we use the 02-09 one to avoid usb issues, but that may not be needed anymore) boot pi watch dhcp logs on boole ssh pi@ip passwd: raspberry sudo raspi-config update it expand filesystem change password boot to console advanced options -> hostname cd /etc/network edit interfaces to get a static ip reboot on boole: add hostname to fwd and rev. dns, don't forget to commit your changes. log into adminstuff with ssh keys forwarded add hostname to /etc/ansible/hosts in both the [lhshosts] and [rpis] sections, make syslocation="something sensible" (It's used for the SNMP sysLocation field) then: if it's a replacement for an old machine then: ssh-keygen -R hostname ssh-keygen -R hostname.lan.london.hackspace.org.uk ssh-keygen -R ipv4 address (?) ssh-keygen -R ipv6 address (?) then: cd /etc/ansible install python-apt which ansible needs on the raspberry pi: ansible -vvv -u pi -k -s -m command -a "apt-get -y install python-apt" "hostname" Then run it ansible-playbook -u pi -s -k -l "hostname" lhs/site.yml The 2nd one will add our users, ssh keys, packages, etc etc. notes: not sure how resolv.conf gets setup, I thought having: iface eth0 inet static [...] dns-nameservers 172.31.24.2 dns-search lan.london.hackspace.org.uk Would sort it, but maybe that dosn't and we got lucky from dhcp? The dns stuff in /etc/network/interfaces appears to be bogus and resolv.conf needs to be done manually, add to ansible.
Bootstrapping a new machine to a static ip
Login to the new install and find it's ip, make sure you know the root password, or have an sshkey for the root account. Choose a hostname for your new machine. Log in to dns vm (dns.lan.london.hackspace.org.uk), and as root cd /etc/bind, and edit lan.london.hackspace.org.uk. and db.10 to add your new host, remember the new static ip you choose. There is only a few static ip's left, you may end up needing to shrink the dhcp range and change the dhcpserver config on boole as well. zkt-signer -v -r to sign and push out your changes. Check that the hostname works in fwd and reverse dns. and git commit your changes and log out of dns vm. on adminstuff edit /etc/ansible/hosts, add: <ip> syslocation="something" lhs_host=<hostname> to at least [lhshosts], you probably want [ldap-clients] as well, and maybe some other sections, depending on what you want. then edit /etc/ansible/lhs/vars/defaults.yml , adding your host and the last octet of the new static ip to the hosts: section now ssh to the host to check that ssh works: ssh root@<ip> You may need to fix old cached pub keys, and/or allowing root to ssh to your new machine with a password ( PermotRootLogin yes in /etc/ssh/sshd_config on the machine you are setting up). Now you can run ansible. This example assumes you are using a password for root cd /etc/ansible ansible-playbook -l "<ip>" -k -u root lhs/site.yml and hopefully ansible should run ok and set everything up! Note that ansible will change the root password, hopefully you've got a way to get back in (either you are an admin in ansible, or in the Admins group in ldap, in either case you can login as yourself and then sudo). Now reboot the new machine, it should come back with the static ip. double check that it's right. Now edit /etc/ansible/hosts on adminstuff again and in the entries you added earlier change <ip> to the machines new full hostname. Now run ansible again (needed to fix the snmp config), if it's an ldap client you'll have to use your ldap password - (You could always add your ssh key to your account on the new machine). git commit your changes on adminstuff. and you are done!
Removing an admin
edit /etc/ansible/lhs/vars/defaults.yml
, remove them from users, add them to disable_users, then re-run ansible.
Ansible Troubleshooting
- problem, ansible dies in the snmp config cos it can't find a default ipv4 address.
- fix: make sure the machine has an ipv4 default route
- problem, the sshfp stuff just has hostname. rather than hostname.lan.london.hackspace.org.uk.
- fix: edit /etc/hosts on the effected machine so that both the long and short versions of the hostname are in there.
Making someone an admin
- Ask them for an ssh pubkey, prefered username, and the email address they want to use. If they already have an LDAP account then use the same username and email!
- Explain that they will get some automated emails from monitoring systems and cron tasks, if the emails indicate problems then they have a part of the responsibility to fix the problems :)
- Point them at https://github.com/londonhackspace/hackneyroad/issues encourage them to fix issues and add things that they think need fixing. (The Ansible repo has a separate set of issues)
- On adminstuff add the ssh pubkey as
/etc/ansible/lhs/roles/common/files/<username>.pub
- edit
/etc/ansible/lhs/vars/defaults.yml
and add there details under the users: section - run ansible as usual
- If it all works *don't forget to commit and push your changes*
- on turing (which you may not have access to, if not ask a trustee to do it for you)
- add there email to
london-hackspace-sysadmins
in/etc/aliases
- run
newaliases
- add them to the Admins LDAP group:
smbldap-groupmod -m <username> Admins
- add there email to
- On github invite them to the "System Admins" Team.
- Mention the #london-hack-space-dev and #london-hack-space-infrastructure irc channels on freenode.