xCAT/xcat-core
2
0
Fork 0
mirror of https://github.com/xcat2/xcat-core.git synced 2025-05-22 11:42:05 +00:00
Code Issues Releases Wiki Activity

Merge pull request #2454 from whowutwut/security0127

Browse Source 
Looks good to me.
This commit is contained in:
Mark Gurevich 2017-01-31 16:49:15 -05:00 committed by GitHub
commit d076feb216
9 changed files with 118 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
docs/source/advanced/cluster_maintenance/mgmt_node/changing_hostname_ip.rst
View File

@ -52,7 +52,7 @@ Change the Management Hostname
hostname <new_MN_name>
* Edit hostname configuration file
* Update the hostname configuration files:
| Add hostname in ``/etc/hostname``
| Add HOSTNAME attribute in ``/etc/sysconfig/network`` (only for [RHEL])
@ -60,29 +60,29 @@ Change the Management Hostname
Update Database Files
---------------------
You need to update the new MN hostname or IP address in several database
configuration files.
You need to update the new MN hostname or IP address in several database configuration files.
SQLite
^^^^^^
Nothing to do.
Postgresql
PostgreSQL
^^^^^^^^^^
- Edit ``/etc/xcat/cfgloc`` file, replace ``Pg:dbname=xcatdb;host=<old_MN_ip>|xcatadm|xcat20``
with ``Pg:dbname=xcatdb;host=<new_MN_ip>|xcatadm|xcat20``.
- Edit ``/etc/xcat/cfgloc`` file...
- Edit config database config file ``/var/lib/pgsql/data/pg_hba.conf``,
replace ``host all all <old_MN_ip>/32 md5``
with ``host all all <new_MN_ip>/32 md5``.
Replace ``Pg:dbname=xcatdb;host=<old_MN_ip>|xcatadm|xcat20`` with ``Pg:dbname=xcatdb;host=<new_MN_ip>|xcatadm|xcat20``.
Mysql
- Edit config database config file ``/var/lib/pgsql/data/pg_hba.conf``...
Replace ``host all all <old_MN_ip>/32 md5`` with ``host all all <new_MN_ip>/32 md5``
MySQL
^^^^^
Edit ``/etc/xcat/cfglooc``, replace ``mysql:dbname=xcatdb;host=<old_MN_ip>|xcatadmin|xcat20``
with ``mysql:dbname=xcatdb;host=<new_MN_ip>|xcatadmin|xcat20``.
- Edit ``/etc/xcat/cfglooc``...
Replace ``mysql:dbname=xcatdb;host=<old_MN_ip>|xcatadmin|xcat20`` with ``mysql:dbname=xcatdb;host=<new_MN_ip>|xcatadmin|xcat20``
Start the database
------------------
@ -116,12 +116,12 @@ Change the site table master attribute
Change all IP address attribute relevant to the MN IP address
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For example, old address was "10.6.0.1"
For example, the old IP address was "10.6.0.1"
* Query the attributes with old address ::
* Query all the attributes with old address ::
lsdef -t node -l | grep "10.6.0.1"
# the output may looks like
...
conserver=10.6.0.1
conserver=10.6.0.1
conserver=10.6.0.1
@ -138,26 +138,23 @@ For example, old address was "10.6.0.1"
servicenode=10.6.0.1
xcatmaster=10.6.0.1
* As the attribute with the old IP address is list above, take conserver as
a example, query the nodes with ``conserver=10.6.0.1``.
::
* Looking at the list above, taking ``conserver`` as an example, query the nodes with ``conserver=10.6.0.1``: ::
lsdef -t node -w conserver="10.6.0.1"
# the output looks like
...
cn1 (node)
cn2 (node)
cn3 (node)
cn4 (node)
* Change the conserver address for cn1,cn2,cn3,cn4 ::
* Change the conserver address for nodes ``cn1,cn2,cn3,cn4`` ::
chdef -t node cn1-cn4 conserver=<new_ip_address>
Repeat the same process for the other attributes.
* Repeat the same process for the other attributes containing the old IP address.
Change networks table
^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^
Check your networks table to see if the network definitions are still correct,
if not edit accordingly ::
@ -166,7 +163,7 @@ if not edit accordingly ::
chdef -t network <key=value>
Check Result
^^^^^^^^^^^^^
^^^^^^^^^^^^
You can check whether all the old address has been changed using ::
@ -174,25 +171,24 @@ You can check whether all the old address has been changed using ::
cd <new database backup path>
fgrep "10.6.0.1" *.csv
If the old address still exists in the ``*.csv` file, you can edit this file,
then use the following command to restore the records ::
If the old address still exists in the ``*.csv`` file, you can edit this file, then use the following command to restore the records ::
tabrestore <xxx.csv>
Generate SSL credentials(optional)
----------------------------------
If you do not generate new credentials, skip this section.
If you decide generate new credentials, then you will use the following
command.
Use the following command to generate new SSL credentials: ``xcatconfig -c``.
* Generate new credentials ::
Then update the following in xCAT:
xcatconfig -c
* Update the policy table with new management node name and replace: ::
* Update the policy table with new MN name,
replace ``"1.4","old_MN_name",,,,,,"trusted",,`` with
``"1.4","new_MN_name",,,,,,"trusted",,``
"1.4","old_MN_name",,,,,,"trusted",,
with: ::
"1.4","new_MN_name",,,,,,"trusted",,``
* Setup up conserver with new credentials ::

6
docs/source/advanced/cluster_maintenance/service_node/changing_hostname_ip.rst
View File

@ -36,11 +36,7 @@ Database Connection Changes
Granting or revoking access privilege in the database for the service node.
* For mysql, refer to :ref:`grante_revoke_mysql_access_label`.
.. There is no procedure in old document on sourceforge for postgress to
grant or revoke the access privilege for service node.
* For postgress, refer to `TODO <https://localhost/todo>`_.
* For MySQL, refer to :ref:`grante_revoke_mysql_access_label`.
Update Provision Environment on Service Node
--------------------------------------------

10
docs/source/advanced/hamn/setup_ha_mgmt_node_with_shared_data.rst
View File

@ -56,7 +56,7 @@ The configuration procedure will be quite different based on the shared data mec
/<dbdirectory>
``Note``:For mysql, the database directory is ``/var/lib/mysql``; for postgresql, the database directory is ``/var/lib/pgsql``; for DB2, the database directory is specified with the site attribute databaseloc; for sqlite, the database directory is /etc/xcat, already listed above.
``Note``:For MySQL, the database directory is ``/var/lib/mysql``; for PostGreSQL, the database directory is ``/var/lib/pgsql``; for DB2, the database directory is specified with the site attribute databaseloc; for sqlite, the database directory is /etc/xcat, already listed above.
Here is an example of how to make directories be shared data through NFS: ::
@ -125,7 +125,7 @@ Setup xCAT on the Primary Management Node
service dhcpd stop
chkconfig --level 2345 dhcpd off
#. Stop Database and prevent the database from auto starting at boot time, use mysql as an example: ::
#. Stop Database and prevent the database from auto starting at boot time, use MySQL as an example: ::
service mysqld stop
chkconfig mysqld off
@ -180,7 +180,7 @@ Setup xCAT on the Standby Management Node
service dhcpd stop
chkconfig --level 2345 dhcpd off
#. Stop Database and prevent the database from auto starting at boot time. Use mysql as an example: ::
#. Stop Database and prevent the database from auto starting at boot time. Use MySQL as an example: ::
service mysqld stop
chkconfig mysqld off
@ -303,7 +303,7 @@ If the management node is still available and running the cluster, perform the f
#. Stop database
Use mysql as an example: ::
Use MySQL as an example: ::
service mysqld stop
@ -346,7 +346,7 @@ On the new primary management node:
mount /.xcat
mount /db2database
#. Start database, use mysql as an example: ::
#. Start database, use MySQL as an example: ::
service mysql start

91
docs/source/advanced/networks/switchdiscover/switch_based_switch_discovery.rst
View File

@ -8,34 +8,28 @@ Pre-requirement
In order to do switch-based switch discovery, the admin
1. Needs to manually setup and configure core-switch, SNMP v3 needs to be enabled in order for xCAT access to it. **username** and **userpassword** attributes are for the remote login. It can be for **ssh** or **telnet**. If it is for **telnet**, set protocol to “telnet”. If the **username** is blank, the **username** and **password** will be retrieved from the passwd table with “switch” as the key. SNMP attributes will used for SNMPv3 communication. **nodetype** has to be set to "switch" to differentiate between switch-based node discovery or switch-based switch discovery. Refer to switches table attributes. Example of core-switch definition:
1. Needs to manually setup and configure core-switch, SNMP v3 needs to be enabled in order for xCAT access to it. **username** and **userpassword** attributes are for the remote login. It can be for **ssh** or **telnet**. If it is for **telnet**, set protocol to “telnet”. If the **username** is blank, the **username** and **password** will be retrieved from the passwd table with “switch” as the key. SNMP attributes will used for SNMPv3 communication. **nodetype** has to be set to "switch" to differentiate between switch-based node discovery or switch-based switch discovery. Refer to switches table attributes. Example of core-switch definition: ::
::
lsdef switch-10-5-23-1
Object name: switch-10-5-23-1
groups=switch
ip=10.5.23.1
mac=ab:cd:ef:gh:dc
mgt=switch
nodetype=switch
password=admin
postbootscripts=otherpkgs
postscripts=syslog,remoteshell,syncfiles
protocol=telnet
snmpauth=sha
snmppassword=userpassword
snmpusername=snmpadmin
snmpversion=3
switchtype=BNT
usercomment=IBM
username=root
lsdef switch-10-5-23-1
Object name: switch-10-5-23-1
groups=switch
ip=10.5.23.1
mac=ab:cd:ef:gh:dc
mgt=switch
nodetype=switch
password=admin
postbootscripts=otherpkgs
postscripts=syslog,remoteshell,syncfiles
protocol=telnet
snmpauth=sha
snmppassword=userpassword
snmpusername=snmpadmin
snmpversion=3
switchtype=BNT
usercomment=IBM
username=root
2. Predefine all top-rack switches which connect to core-switch. The attribute **ip** is static ip address for the switch. When ``switchdiscover --setup`` command is issued, this ip address will replace dhcp IP address on the switch. **nodetype=switch** needs to be set to differentiate between switch-based node discovery or switch-based switch discovery during discovery process. the attribute **switch** is hostname of core-switch and **switchport** is the port number in the core-switch that top-rack switch is connected to.
::
2. Predefine all top-rack switches which connect to core-switch. The attribute **ip** is static IP address for the switch. When ``switchdiscover --setup`` command is issued, this IP address will replace dhcp IP address on the switch. **nodetype=switch** needs to be set to differentiate between switch-based node discovery or switch-based switch discovery during discovery process. the attribute **switch** is hostname of core-switch and **switchport** is the port number in the core-switch that top-rack switch is connected to. ::
lsdef switch-192-168-5-22
objtype=node
@ -50,13 +44,13 @@ In order to do switch-based switch discovery, the admin
3. Add switches to /etc/hosts for hostname lookup and xdsh command. ::
makehosts switch-192-168-5-23
makehosts switch-192-168-5-22
makehosts switch-192-168-5-23
makehosts switch-192-168-5-22
4. Setup Dynamic IP range in network table for discovered switches to use. ::
# tabdump networks
# tabdump networks
#netname,net,mask,mgtifname,gateway,dhcpserver,tftpserver,nameservers,ntpservers,logservers,dynamicrange,staticrange,staticrangeincrement,nodehostname,ddnsdomain,vlanid,domain,mtu,comments,disable
"192_168_0_0-255_255_0_0","192.168.0.0","255.255.0.0","enP4p1s0f2","<xcatmaster>",,"192.168.3.29",,,,"192.168.5.150-192.168.5.170",,,,,,,,,
@ -67,7 +61,7 @@ dhcp should be restarted after seting up dynamic IP range.
Discover Switches
~~~~~~~~~~~~~~~~~
xCAT supports **switchdiscover** command to discover the switches that are attached to the subnets on xCAT management node. Refer to http://xcat-docs.readthedocs.io/en/latest/advanced/networks/switchdiscover/switches_discovery.html for more info.
xCAT supports **switchdiscover** command to discover the switches that are attached to the subnets on xCAT management node. Refer to :doc:`/advanced/networks/switchdiscover/switches_discovery` for more info.
For the switch-based switch discovery, we add **setup** flag: ::
@ -125,13 +119,11 @@ if **--setup** flag is specified, the command will perform following steps:
Configure switches
~~~~~~~~~~~~~~~~~~
The **switchdiscover** command with ``--setup`` flag will set up switches with static ip address, change the hostname from predefine switches and enable snmpv3 configuration. For other switches configuration, Refer to http://xcat-docs.readthedocs.io/en/latest/advanced/networks/ethernet_switches/ethernet_switches.html and http://xcat-docs.readthedocs.io/en/latest/advanced/networks/infiniband/switch_configuration.html
The **switchdiscover** command with ``--setup`` flag will set up switches with static IP address, change the hostname from predefine switches and enable snmpv3 configuration. For other switches configuration, refer to :doc:`/advanced/networks/ethernet_switches/ethernet_switches` and :doc:`/advanced/networks/infiniband/switch_configuration`.
These two config files are located in the **/opt/xcat/share/xcat/scripts**. The **switchdiscover** process will call the config files with ``--all`` option. User can call these scripts to setup one of options manually.
These two config files are located in the **/opt/xcat/share/xcat/scripts** directory. The **switchdiscover** process will call the config files with ``--all`` option. User can call these scripts to setup one of options manually.
1. **configBNT** is for configure BNT switches.
::
1. **configBNT** is for configure BNT switches. ::
./configBNT --help
Usage:
@ -142,21 +134,22 @@ These two config files are located in the **/opt/xcat/share/xcat/scripts**. The
configBNT [--switches switchnames] [--snmp] [--user snmp_user] [--password snmp_password] [--group snmp_group]
configBNT [--switches switchnames] [--port port] [--vlan vlan]
2. **configMellanox** is for configuring Mellanox switch. The script will configure ntp service on the switch with xCAT MN and will use rspconfig command to
* enable ssh
* enable snmp function on the switch
* enable the snmp trap
* set logging destination to xCAT MN
2. **configMellanox** is for configuring Mellanox switch. The script will configure ntp service on the switch with xCAT MN and will use rspconfig command to
::
* enable ssh
* enable snmp function on the switch
* enable the snmp trap
* set logging destination to xCAT MN
./configMellanox --help
Usage:
configMellonax [-?│-h│--help]
configMellonax [--switches switchnames] [--all]
configMellonax [--switches switchnames] [--ip]
configMellonax [--switches switchnames] [--name]
configMellonax [--switches switchnames] [--config]
::
./configMellanox --help
Usage:
configMellonax [-?│-h│--help]
configMellonax [--switches switchnames] [--all]
configMellonax [--switches switchnames] [--ip]
configMellonax [--switches switchnames] [--name]
configMellonax [--switches switchnames] [--config]
Switch Status
@ -166,7 +159,7 @@ During the switch-based switch discovery process, there are four states displaye
**Matched** --- Discovered switch is matched to predefine switch, **otherinterfaces** attribute is updated to dhcp IP address, and mac address, **switch type** and **usercomment** also updated with vendor information for the predefined switch.
**ip_configed** --- switch is set up to static ip address based on predefine switch IP address. If failure to set up IP address, the status will stay as **Matched**.
**ip_configed** --- switch is set up to static IP address based on predefine switch IP address. If failure to set up IP address, the status will stay as **Matched**.
**hostname_configed** -- switch host name is changed based on predefine switch hostname. If failure to change hostname on the switch, the status will stay as **ip_configed**.

5
docs/source/guides/admin-guides/manage_clusters/common/deployment/additionalpkg/ubuntu_os_other_pkg.rst
View File

@ -32,5 +32,8 @@ Compute nodes can access the internet
Compute nodes can not access the internet
------------------------------------------
If compute nodes cannot access the internet, there are two ways to install additional packages:use apt proxy or use local mirror according to :ref:`ubuntu-install-non-internet`
If compute nodes cannot access the internet, there are two ways to install additional packages
* use apt proxy
* use local mirror

2
docs/source/guides/admin-guides/manage_clusters/ppc64le/statelite/advanced_features.rst
View File

@ -69,7 +69,7 @@ In order to describe the hierarchy scenarios we can use , ``P`` to denote parent
+--------------+-----------------------------------------------------+-------------------------------------------------+
| P: link C: | "ALL","/root/testlinkpers/","link",, | Both parent and child are created in tmpfs |
| link, | "ALL","/root/testlink/testlinkchild",, | on the booted node following their respective |
| persistent | "link,persistent" | options; there's only one symbolic link of |
| persistent | "link,persistent" | options; there's only one symbolic link of |
| | | the parent is created in the local file system. |
+--------------+-----------------------------------------------------+-------------------------------------------------+
| P:link, | "ALL","/root/testlinkpers/","link,persistent",, | NOT permitted |

27
docs/source/security/2017/20170126_openssl.rst Normal file
View File

@ -0,0 +1,27 @@
2017-01-27 - OpenSSL Vulnerabilities
====================================
*Jan 26, 2017*, OpenSSL announced the following security advisories: https://www.openssl.org/news/secadv/20170126.txt
Advisory CVEs
-------------
* CVE-2017-3731 - **Truncated packet could crash via OOB read** (Severity:Moderate)
* CVE-2017-3730 - **Bad (EC)DHE parameters cause a client crash** (Severity: Moderate)
* CVE-2017-3732 - **BN_mod_exp may produce incorrect results on x86_64** (Severity: Moderate)
* CVE-2016-7055 - **Montgomery multiplication may produce incorrect results** (Severity: Low)
Please see the security bulletin above for patch, upgrade, or suggested work around information.
Action
------
xCAT uses OpenSSL for client-server communication but **does not** ship it.
It is highly recommended to keep your OpenSSL levels up-to-date with the indicated versions in the security bulletins to prevent any potential security threats. Obtain the updated software packages from your Operating system distribution channels.

7
docs/source/security/2017/index.rst Normal file
View File

@ -0,0 +1,7 @@
2017 Notices
============
.. toctree::
:maxdepth: 1
20170126_openssl.rst

1
docs/source/security/index.rst
View File

@ -4,5 +4,6 @@ Security Notices
.. toctree::
:maxdepth: 2
2017/index.rst
2016/index.rst
2015/index.rst