ch03

advertisement
Workstations
CPTE 433 Chapter 3
Adapted by John Beckett
from
The Practice of System &
Network Administration
by Limoncelli, Hogan, &
Chalup
1
Define “Workstation”
• Used by a single individual
– Or perhaps a kiosk used by a single individual at a
time
– A lab computer is a form of kiosk
– May be remotely used (yours, for example)
• There are many deployed
• It is to our advantage to have them identical
– Easier to manage
• Need a carefully-defined life cycle
2
Managing Operating Systems
Three Tasks
1. Loading the system software and
applications
2. Updating the system software and
applications
3. Configuring network parameters
Automating these procedures is the key!
3
Evard’s Life Cycle of a Machine
New
Rebuild
Build
Update
Entropy
Clean
Initialize
Configured
Unknown
Debug
Only useful
state
Retire
Off
4
Figure 3.1
Lessons from Evard
• Identifiable states and transitions exist.
• The computer is usable only in the configured
state.
• Negative state changes happen by themselves.
• CSA effort is required to make positive state
changes.
• Automating positive state changes helps.
5
What is a “First Class Citizen?”
• A device that receives full support.
• Other devices may get:
– Networking support
– Limited-time support
– “Best-effort” (ie, left-over time)
6
Why “promote” an undesired device
or configuration?
• It is politically necessary to tolerate it.
• Botched installation/configuration by users is
creating problems.
• Perhaps it is something you ought to learn to
like!
7
Questions For Vendors
• How are SA processes automated in your
product line?
• What is the deployment cost?
– This must be added to what we have to pay you,
so it affects your competitive position.
8
Why Not Hand-Load Software?
• Mistakes.
– It simply doesn’t work right because someone got
something wrong.
• Non-uniformity.
– Each difference means we might have difficulty
tracking down yet a different problem.
9
Is Your System Automated?
• “You just run this little script after the
download…”
• Duh…that means somebody has to:
–
–
–
–
–
Wait until the download completes
Notice the download has completed
Run the script
Wait for the script to complete
Note that the script completed correctly
10
E.T. Call Home
The final step in a deployment script should be
to send an email to the perpetrator giving…
– Which machine this is
– What script was run
– Status details as of completion
11
How Do You Get There From Here?
• Document manual steps carefully
• Package steps in a script
• Proof the script
– Consider possible variations it might encounter
• Comment the script
• This takes time
– …but if you’re doing the same thing a lot, it saves
time
12
Partial Automation
• Document the process.
• Make notes on the documentation.
• Watch for opportunities to turn…
– a documented procedure
– into an automated procedure
13
Vendor Installations
• You don’t know what’s really in there.
• They may change their “standard” installation
without telling you.
• You don’t know if you can replace it.
– Do you even have all the pieces (drivers
especially?)
• If you didn’t install it and the vendor didn’t
install it from your images, you don’t know
what is there!
14
Update - Host is in a usable state
• You are changing the status from “configured”
to “unknown” and then back.
• That’s two transitions, not one!
15
Update – The host is in an office
• Ideally you can do the update from your desk.
• In the case of heavy network traffic needed,
you might wish to have a special room where
hosts to be updated can be taken so that their
traffic is isolated.
16
Update – No physical access
• Physical visits cost time and money.
• A visit might not work because:
– The person might not be there.
– The person might be in the middle of an
important task.
– The whole office might be locked.
• Updates should be possible from wherever
you are.
17
Updates – The host is already in use
• This is no time to do something that will mess
it up!
• Have a backup plan in case of disaster.
18
Updates – The host may not be in a
“known state.”
• Automation must be done more carefully than
at initial load time.
• This is a good reason for “unknown” to be
considered the same as “new”.
19
Updates in a 24x7 age
• The host may have “live” users
– Can’t be taken down while they’re on.
– SMS can hold updates until a user logs off.
– Bell Labs has an Auto Patch system for the same
purpose.
• The host may be gone, e.g. laptop.
• The host may be dual-boot.
20
Patch Propagation
A patch can actually create problems. So stage
it:
• One machine.
• A few more – perhaps other SAs.
• Many.
– Save the automated update for the “many” stage.
21
What About Stop-Gaps?
• You have a need that isn’t on the standard
load
• You implement the change
• Put it into a ticket!
22
Rogue DHCP Servers
• Router connected backwards
• “I was just trying LINUX”
– And he loaded “everything” (and activated it.)
• Internet Connection Sharing
– Example: Southern Village. Second NIC in a
student’s computer is used to connect to cable
modem. He wishes to share the bandwidth with a
friend in Talge.
23
Symptoms of a Rogue
• As machines are rebooted, they act strangely
and sometimes don’t get an IP address.
• DHCP renewal often takes a surprisingly long
time.
• Refreshed Ethernet links get strange addresses
(which may or may not “work”).
24
Tracing a Rogue
Collect all information you can.
• From a computer getting a bad IP address:
– What IP address were they getting?
• (192.168.0.x may mean “D-link router”).
– What is the IP address of the DHCP server?
– From another LINUX machine, use arp –a
• And “grep” for the IP address to pick up the MAC address.
• Temporarily turn off your DHCP server and
refresh a workstation
25
“Sharing”
Computer 1
Wireless
(shared)
Wired
192.168.0.1
Computer 1 has a wireless
Connection to the building’s
Network so they can get
through your firewall.
That connection is
shared so others can have
the same privilege.
Sharing means the other NIC
is now functioning as a
DHCP server!
Hub or
Switch
26
Now other machines in
your network may be
receiving DHCP from this
computer!
Another way to share
• Use Bridged sharing
• Connects your network with whatever
network they’ve connected to
– Connects the DHCP server on the wireless
network they are “sharing”, with your
workstations
– So the rogue DHCP server is actually not in your
building!
27
What Good is a MAC address?
• It may be in your database.
– The machine has been “upgraded” to a new one
and somebody tried something with the old box.
• You can look up the Ethernet vendor to see
what brand it is – narrowing down the field.
• Intelligent switches can be queried as to the
physical location of a specific MAC.
• But remember, a MAC address can be
changed or even spoofed.
28
Download