Managing Cern Computer Centre nodes

/usr/sbin/ncm_wrapper.sh

• spma_ncm_wrapper will put the machine completely in sync with the template, i.e. will execute all the ncm modules and spma

/usr/sbin/spma_ncm_wrapper.sh

Little Quattor FAQ

How to find a quattor template

The lemon monitoring framework provides links to the quattor template of each node, e.g. http://lemonweb.cern.ch/lemon-status/info.php?entity=cmslogbook. On the page you will find the link to the quattor template under the icon, e.g. http://tpl-viewer.cern.ch/cdb-tpl-view/tpl_view.php?profile=profiles/profile_cmslogbook. The name of the template to checkout is always in the first line, e.g.

Template: profiles/profile_cmslogbook  

The browser also allows to follow links to other templates which are included in this one.

I cannot create / modify a template

In case you don't have write permissions to a certain template you can check the acls with

<cdbop@cdbserv.cern.ch: ~> acl_get profiles/profile_cmslogbook
/profiles/profile_cmslogbook: %cmsvoc -> rwa, %gridops -> rwa
<cdbop@cdbserv.cern.ch: ~> group_list %gridops
%gridops: !straylen dcollado horat lfield mbabik roiser wlapka
<cdbop@cdbserv.cern.ch: ~> 

If you are not listed as a group member you will need to ask aa admin (!) to add you.

How to install a new software package

Software packages can be added to a node with the line

"/software/packages" = pkg_add("elog", "2.8.1-1", "x86_64"); 

instead of the version number the string "DEF" can put to get the default version of a package.

How to use lemon sensors / actuators

Below is an example of a lemon sensor and exception/actuator for a web service. Whenever the alarm (exception) is raised the actuator will run and try to restart the service + apache. If it fails 3 times it will execute an alarm to the operators.

"/software/packages" = pkg_add("lemon-sensor-http","0.2-0","noarch");
include pro_monitoring_sensor_httpget ;
include pro_monitoring_metrics_httpget ;
"/system/monitoring/metric/_9514/active" = true ;
"/system/monitoring/metric/_9514/param" = list(
   "url", "https://cms-logbook.cern.ch/elog/",
   "tag00", "title",
   "content00", "ELOG Logbook Selection"
);
"/system/monitoring/exception/_33008/active" = true ;
"/system/monitoring/exception/_33008/actuator" = nlist(
   "execve", '/bin/sh -c \\" /etc/init.d/elogd restart; sleep 5; /etc/init.d/httpd restart ; 
      /bin/echo \\\"Elogd and httpd restarted by Lemon. Please check.\\\" | 
      /bin/mail -s \\\"Elogd and httpd restarted on $HOSTNAME\\\" root \\" ',
   "maxruns", 3,
   "timeout", 30,
   "window", 0,
   "active", true,
);

How to enable user access to nodes

User access can be give to a node by putting the line

"/software/components/useraccess/users/roiser/acls" = list("system-auth"); 

into the quattor template, per user. User access can also given to members of a given unix group

"/software/components/authconfig/method/ldap/nss_base_passwd" = "OU=Users,OU=Organic Units,DC=cern,DC=ch?gidNumber=1399";

egroup (you have to create the corresponding group at https://e-groups.cern.ch/e-groups/EgroupsSearchForm.do

"/software/components/authconfig/method/ldap/nss_base_passwd" = 
   "OU=Users,OU=Organic Units,DC=cern,DC=ch?memberOf=CN=cms-elog-users,OU=e-groups,OU=Workgroups,DC=cern,DC=ch";

or both group id and egroup

"/software/components/authconfig/method/ldap/nss_base_passwd" = 
   "OU=Users,OU=Organic Units,DC=cern,DC=ch?one?|(gidNumber=1399)
      (memberOf=CN=cms-elog-users,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)";

How to give users sudo access to nodes

The template has to contain once the line

include components/sudo/config; 

Then for every sudoer an extra line

"/software/components/sudo/privilege_lines" = push(nlist("user","roiser", "run_as","ALL", "host","ALL", "cmd","ALL", "options","NOPASSWD")); 

has to be created, corresponding /etc/sudoers entry. The one above is the easiest to provide but can be tailored down to the specific needs, e.g. only certain commands, etc. if needed.

How to enable backups for a node via TSM

TSM backups need to be setup together with tsm.support@cernNOSPAMPLEASE.ch . An example for quattor template entries would be

variable tsmserver = "TSM64";
include { 'services/tsmclient/config' };
"/software/components/tsmclient/inclexcl" = push("Include /usr/local/elog/.../*");

where everything under the directory /usr/local/elog will be backed up.

How to install a host certificate via quattor + host-certificate-manager

The quattor template needs to contain the line

include pro_service_hostcertificate; 

On lxvoadm the host certificate can be created with the "host-certificate-manager" tool, e.g.

host-certificate-manager --username=roiser cmslogbook

and subsequently deployed on the destination node via

[cmslogbook] /afs/cern.ch/user/r/roiser > /usr/sbin/ncm_wrapper.sh sindes

Useful Links

Lemon homepage: http://lemon.web.cern.ch/lemon/index.shtml

Lemon monitoring: http://lemonweb.cern.ch/lemon-web/

-- StefanRoiser - 04-Jul-2011

• script-code: