Servers and services 

All services are provided by two servers: gw.daq.lhcb, and srv06.daq.lhcb

Network Address Translation:

Is obviously done in the gateway, as all the traffic is routed through it, c.f. Network structure.

iptables -t nat -vL --line-numbers gives the full listing.

Important: some applications running in the daq.lhcb, but which should be available (for now at least), require that the traffic is "bounced" by the gateway, but the source addres is translated. Thus in the following line

15 266 16516 SNAT all -- any any tfcctrl00.daq.lhcb !10.135.150.0/24  to:137.138.137.237

in the POSTROUTING table, the tfcctrl00's address is translated if the destination address is NOT on the 10.135.150.0 segment (lab in Bat. 2). Keep this line as is, otherwise Richards PVSS projects might stop working with clients located in the cern.ch domain!!!

Firewall:

On the gateway, obviously. Check out the iptables man pages... (There's a great book describing the important points about iptables: The Linux Quick Fix Notebook - you can find it on my desk if needed.)

DNS:

Main DNS server is the gateway. It serves only the daq.lhcb domain.

Configuration file: /etc/named.conf

DNS data is stored in the /var/named directory:

/var/named/forward.daq.lhcb.zone for the name resolution (name->address), and

/var/named/135.10.in-addr.arpa.zone for reverse mapping (address->name)

Important: It is not necessary to modify the zone files on the slave server, but when editing these files on the master DNS server, set the serial field (second line) to yyyymmddx, e.g. " 200603170 ; serial"  with yyyy = year, mm=month, dd=day, of the change, and x a one character integer incremented by one with each modification within the same day. This guarantees the synchronisation with the slave DNS server.

After a change to the zone files, a restart of named is necessary.

The DNS server forwards queries for unknown hosts to the CERN DNS server, thus the following /etc/resolv.conf is adequate:

search daq.lhcb
nameserver 10.135.1.1
nameserver 10.135.101.6
 

DHCP

DHCP in the daq.lhcb domain is centralised on the srv06, with the exception of the hosts located in Bat. 2.

The main configuration file is /etc/dhcpd.conf, while the hosts are declared in /etc/dhcpd.farm00, /etc/dhcpd.farm01, /etc/dhcpd.misc, etc. (the include statements in the main file should be self-explanatory).

The hosts in the lab in Bat. 2, are declared on the lbtbongw01.cern.ch (the gateway in this lab), in /etc/dhcpd.conf.

NIS

Located on srv06. The passwd, group and netgroup files are located in the /etc/NIS directory. Adding a new user or a new group requires editing of these files, after which execute

cd /var/yp ; make

You might need also to restart the yp server : /etc/init.d/ypserv restart

Important: there is a script which you can use to add a new user, which creates a user and his home directory (on srv06), as well as the corresponding kerberos principal: /home/artur/admin/daquser.py

It should do everything, including the restart of the ypserv. You will be asked to provide a kdc password, which is lhcbkrb (use this password also if you need to modify kerberos principals - in this case use -p artur/admin).

The script also assigns a password to the new user, e.g. for a new user xyz, the default password will be lhcbxyz.

We'll replace NIS by LDAP in order to unify linux and windows user account management...

Backups

The pool01.daq.lhcb is running an amanda server. To log in to this host, use the root account. The following partitions are backed-up to disk (/data2), c.f. /etc/amanda/tb/disklist

Monitoring Links:

Gateway CPU Utilisation

Gateway Disk Utilisation

srv06 CPU Utilisation

srv06 Disk Utilisation

ctrl01 CPU Utilisation

ctrl01 root partition Utilisation

ctrl01 /lhcb disk Utilisation

ctrl01 /data disk Utilisation

pool01 (SLC mirror, amanda backups):

pool01 CPU Utilisation

pool01 /slc disk Utilisation (SLC3 and SLC4 mirror)

pool01 /data1 Disk Utilisation (temporary amanda storage, misc.)

pool01 /data2 Disk Utilisation (amanda backup)