[7977] in Release_7.7_team
Linerva transition meeting today
daemon@ATHENA.MIT.EDU (Alex Dehnert)
Tue Jan 28 13:18:46 2014
Message-ID: <52E7F47A.905@dehnerts.com>
Date: Tue, 28 Jan 2014 13:18:34 -0500
From: Alex Dehnert <alex@dehnerts.com>
MIME-Version: 1.0
To: linerva@mit.edu
CC: release-team@mit.edu
Content-Type: multipart/mixed;
boundary="------------050602050102080807070302"
This is a multi-part message in MIME format.
--------------050602050102080807070302
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
We met with Jonathon today to discuss how we would carry out the
linerva->athena.dialup transition. Tentative plan, assuming that the
rest of Ops and Linerva maintainers are okay with it, is to replace the
Linerva sshds with something that rejects your login with a message
about athena.dialup, and to run a high-port sshd for recovering dead
sessions (aka plan 2 in the notes).
I've attached limited notes from the meeting.
~~Alex
--------------050602050102080807070302
Content-Type: text/plain; charset=UTF-8;
name="linerva-transition.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="linerva-transition.txt"
- Plan 1: use an F5 to do IP-based load balancing and give Ops linerva's keys
- original plan, but tentatively prefer plan 2 (see below)
- users connecting to linerva/linux are expecting linerva's ssh key; athena.dialup users expect athena.dialup's keys
- run two sshds, F5 to load-balance (linerva, but not athena.dialup)
- need to run two sslh's as well
- either two SIABs or run SIAB with SNI
- mosh breaks with IP-based load-balancing; get Keith to change the Athena mosh wrapper to check for an environment variable and tell you to use athena.dialup instead if you use linerva (geofft)
- ports open on linerva:
PORT STATE SERVICE
22/tcp open ssh (linerva sshd)
79/tcp open finger (actively break - it's one of five machines)
80/tcp open http (port-forward to athena.dialup - just a redirect to SIAB)
111/tcp open rpcbind (not user-facing)
443/tcp open https (linerva sslh)
5666/tcp open nrpe (not user-facing)
8080/tcp open http-proxy (linerva sshd)
49155/tcp open unknown (actively break - it's one of five machines)
User stuff - not an issue
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open unknown
6001/tcp open X11:1
6002/tcp open X11:2
6003/tcp open X11:3
6004/tcp open X11:4
- give jweiss (temporary?) root on linerva so he can grab the ssh keys
- need to disable strict acceptor check
- Plan 2:
- disable logins using linerva's usual sshds; say something like "Linerva is being decomissioned. Use IS&T's athena.dialup.mit.edu instead, or see http://some-kbish-entry for details."
- run an sshd on a high port that we can tell people about who want to access dead sessions and for maintainers
- probably our preferred plan (less effort), assuming non-attending Ops and Linerva folks are okay with it
- notifying current linerva users
- transition Friday morning
- motd, email to linerva-announce@, wall
- a week with dr-wily usable, then start soliciting people who want to be able to keep logging in, then go limited-access
- hostnames changing
- asked about emailing people with processes running; jweiss will think about it and is not strictly opposed
- another possibility: Ops will run a tiny "dialup" that no-knife.mit.edu, scrubbing-bubles.mit.edu, etc. resolve to, that displays a message like "This dialup is no longer in use. ssh to athena.dialup.mit.edu instead, or read http://so-kb-entry." and then disconnects you
--------------050602050102080807070302--
