Workstations CPTE 433 Chapter 3 Adapted by John Beckett from The Practice of System & Network Administration by Limoncelli, Hogan, & Chalup 1 Define “Workstation” • Used by a single individual – Or perhaps a kiosk used by a single individual at a time – A lab computer is a form of kiosk – May be remotely used (yours, for example) • There are many deployed • It is to our advantage to have them identical – Easier to manage • Need a carefully-defined life cycle 2 Managing Operating Systems Three Tasks 1. Loading the system software and applications 2. Updating the system software and applications 3. Configuring network parameters Automating these procedures is the key! 3 Evard’s Life Cycle of a Machine New Rebuild Build Update Entropy Clean Initialize Configured Unknown Debug Only useful state Retire Off 4 Figure 3.1 Lessons from Evard • Identifiable states and transitions exist. • The computer is usable only in the configured state. • Negative state changes happen by themselves. • CSA effort is required to make positive state changes. • Automating positive state changes helps. 5 What is a “First Class Citizen?” • A device that receives full support. • Other devices may get: – Networking support – Limited-time support – “Best-effort” (ie, left-over time) 6 Why “promote” an undesired device or configuration? • It is politically necessary to tolerate it. • Botched installation/configuration by users is creating problems. • Perhaps it is something you ought to learn to like! 7 Questions For Vendors • How are SA processes automated in your product line? • What is the deployment cost? – This must be added to what we have to pay you, so it affects your competitive position. 8 Why Not Hand-Load Software? • Mistakes. – It simply doesn’t work right because someone got something wrong. • Non-uniformity. – Each difference means we might have difficulty tracking down yet a different problem. 9 Is Your System Automated? • “You just run this little script after the download…” • Duh…that means somebody has to: – – – – – Wait until the download completes Notice the download has completed Run the script Wait for the script to complete Note that the script completed correctly 10 E.T. Call Home The final step in a deployment script should be to send an email to the perpetrator giving… – Which machine this is – What script was run – Status details as of completion 11 How Do You Get There From Here? • Document manual steps carefully • Package steps in a script • Proof the script – Consider possible variations it might encounter • Comment the script • This takes time – …but if you’re doing the same thing a lot, it saves time 12 Partial Automation • Document the process. • Make notes on the documentation. • Watch for opportunities to turn… – a documented procedure – into an automated procedure 13 Vendor Installations • You don’t know what’s really in there. • They may change their “standard” installation without telling you. • You don’t know if you can replace it. – Do you even have all the pieces (drivers especially?) • If you didn’t install it and the vendor didn’t install it from your images, you don’t know what is there! 14 Update - Host is in a usable state • You are changing the status from “configured” to “unknown” and then back. • That’s two transitions, not one! 15 Update – The host is in an office • Ideally you can do the update from your desk. • In the case of heavy network traffic needed, you might wish to have a special room where hosts to be updated can be taken so that their traffic is isolated. 16 Update – No physical access • Physical visits cost time and money. • A visit might not work because: – The person might not be there. – The person might be in the middle of an important task. – The whole office might be locked. • Updates should be possible from wherever you are. 17 Updates – The host is already in use • This is no time to do something that will mess it up! • Have a backup plan in case of disaster. 18 Updates – The host may not be in a “known state.” • Automation must be done more carefully than at initial load time. • This is a good reason for “unknown” to be considered the same as “new”. 19 Updates in a 24x7 age • The host may have “live” users – Can’t be taken down while they’re on. – SMS can hold updates until a user logs off. – Bell Labs has an Auto Patch system for the same purpose. • The host may be gone, e.g. laptop. • The host may be dual-boot. 20 Patch Propagation A patch can actually create problems. So stage it: • One machine. • A few more – perhaps other SAs. • Many. – Save the automated update for the “many” stage. 21 What About Stop-Gaps? • You have a need that isn’t on the standard load • You implement the change • Put it into a ticket! 22 Rogue DHCP Servers • Router connected backwards • “I was just trying LINUX” – And he loaded “everything” (and activated it.) • Internet Connection Sharing – Example: Southern Village. Second NIC in a student’s computer is used to connect to cable modem. He wishes to share the bandwidth with a friend in Talge. 23 Symptoms of a Rogue • As machines are rebooted, they act strangely and sometimes don’t get an IP address. • DHCP renewal often takes a surprisingly long time. • Refreshed Ethernet links get strange addresses (which may or may not “work”). 24 Tracing a Rogue Collect all information you can. • From a computer getting a bad IP address: – What IP address were they getting? • (192.168.0.x may mean “D-link router”). – What is the IP address of the DHCP server? – From another LINUX machine, use arp –a • And “grep” for the IP address to pick up the MAC address. • Temporarily turn off your DHCP server and refresh a workstation 25 “Sharing” Computer 1 Wireless (shared) Wired 192.168.0.1 Computer 1 has a wireless Connection to the building’s Network so they can get through your firewall. That connection is shared so others can have the same privilege. Sharing means the other NIC is now functioning as a DHCP server! Hub or Switch 26 Now other machines in your network may be receiving DHCP from this computer! Another way to share • Use Bridged sharing • Connects your network with whatever network they’ve connected to – Connects the DHCP server on the wireless network they are “sharing”, with your workstations – So the rogue DHCP server is actually not in your building! 27 What Good is a MAC address? • It may be in your database. – The machine has been “upgraded” to a new one and somebody tried something with the old box. • You can look up the Ethernet vendor to see what brand it is – narrowing down the field. • Intelligent switches can be queried as to the physical location of a specific MAC. • But remember, a MAC address can be changed or even spoofed. 28