I’ve moved the new version of NetReg into place, with layout updates and blocking code.
In the process, I also added it to the CVS repository on SHANTI, since Ned’s repository is long gone and not likely to get recovered. The repository has four subdirectories:
Ideally there ought to be an etc directory that contains files to go into /usr/local/etc — like the config file — so that the configuration won’t be a perl module. That’s way down the road, though.
Copied the included LDAP authentication module from Moodle and created an ldap2307 module that works with a proper RFC 2307 standard structure.
See this entry for a description of the problem and proposed solution. I created a new module that removes the ability to create new users in the directory and adds the ability to use standard RFC 2307 group structures for determining group membership in course creator assignment.
Set up backups to exclude most of the week of Christmas, and several of the full backups to exclude the weekends as well.
Am going to have to do some coding for Moodle’s LDAP authorization system after break.
The course creators check in the LDAP module is wrongheaded (well, for us and most of the world, apparently fine for Novell E-Directory). It looks for the list of groups a user is a member of in the user’s LDAP object. Instead, we store the users that are members of a group as attributes in the group object.
New variables: $ldap_group_contexts, $ldap_group_attribute.
$ldap_group_contexts is similar to $ldap_contexts in that it lists the trees under which group objects can be found.
$ldap_group_attribute is like $ldap_user_attribute: it is the attribute that holds the name of the group.
$ldap_memberattrbiute is the attribute in the group object that has the username of the member.
$ldap_creators is a semicolon separated list of $ldap_group_attribute values that list the groups that are to be creators.
The search will be, one for every $ldap_group_contexts:
( & (memberUid=$username)( | (cn=$group1) (cn=$group2) … ))
and request the $ldap_group_attribute. If it matches any of $ldap_creators, then $username is a creator.
I just replaced the batteries on the A1000s on paco and roj.
As predicted, it went quite smoothly.
Funny, both paco and roj seem to be saying that their Disksuite arrays are critical, but the disks seem to be fine. I’m not just sure what’s up with that.
I also removed the extra 36GB disks from roj that we’d gotten for AMANDA. I‘ll be putting them in eyewi at some point for more disk storage unit.
Upgraded the library EZproxy software from version 1.x to 2.2e this morning.
Built a new FreeBSD package for it, wiping out the config that was already there — but saved it from rcs.mgr and the test instance. New features include LDAP authentication, LDAP group authorizations, and a new look (library-compatible) for the login window.
Neal and Crhistine have been notified of the upgrade; Neal had been testing it, and I should hear if there are any problems.
Got some quotes for RAID devices from Zzyzx today.
The StingRAID device is looking promising. I’m pitting it against a few other SATA devices to see what sorts of information floats to the top. Probably one of the other contenders at the moment is the AC&NC JetStor III SATA system. I’ll be contacting them for quotes soon.
We might want to investigate the fibre channel interface on the StingRAID, if it’s not too costly (gains us a second RAID controller with active/active failover).
We’ll be returning the used DLT tapes that we got for replacement with new tapes.
Yet another tape had I/O errors on it this morning, making most of the backups fail. We’ve used 9 of the tapes, and had significant problems with three of them. I attempted to duplicate the one image from ROJ off of some of the tapes from last weekend, but that doesn’t seem to work very well with only one tape drive. I may try tomorrow to duplicate it to disk and then to another tape, but I’m not sure if the disk is big enough. If not, I may end up just blanking all the tapes used (or attempted) so far and bundling them up and calling it a loss.
Battery end of life on paco and roj’s A1000 arrays.
Got a case number open for this (63857094), and David Fowee at Sun is ordering new battery canisters that should get here UPS tomorrow. Call him at (voice pager) 937-427-4232 or send mail to David.Fowee@sun.com if there’s anything confusing.
When the canisters get here, we need to power off the system, replace the canisters, and then run ‘raidutil -c target -R’ to reset the battery date. Oh, and write the date on the canister when it’s put in.
raidutil is in /usr/sbin/osa.
Will be in touch with David Fowee after it’s all done to make sure we get the paperwork filled out properly.
Ugh. PAX weekend backups are not working well, so I tried to run a manual backup today.
It was working ok until it got to EC0050, and then it had an I/O error. EC0051 also had an I/O error. They’re both some of the “new” tapes that Lou got. Really, they’re used tapes, guaranteed for 10 years (never mind that new DLT IV tapes are guaranteed for 30 years … no, wait, Imation’s web site has a lifetime warranty, as does Quantum’s). I think it’s time to tell Lou never to buy used tapes again.
Be that as it may, it looks like it de-assigned EC0047-EC0049 after the backups failed (noisily). I’ll check tomorrow morning (after the nightlies, hrm) to see if the cleaning light is on. If it’s not, I’ll try mounting EC0050 and writing junk to it to reproduce an error. If I can’t, I’ll try writing junk to it on MIR’s tape drive. I really hope there’s an error somewhere in there so I can take it back to Lou and say “Here, get me a new one. I mean new, ok?”
Completing the blocking code project for NetReg.
Cleaning up a few things in the NetReg code and making sure the blocking code works. Also put in HTML fragments for most of the block reasons excpet AUP. We’ve got proxying going to the main web site, so we can pull data and Vexira stuff off of there as we need it.
One more thing I’d like to add before I turn this live is a display of the person who blcoked the connection (the PIDM is already recorded in the database, we just need to extract it).
After that, just some live testing should do the trick. Probably shoot for a go-live date of early January, a short bit before the semester starts.
Much of the afternoon was spent chasing down more information on hardware RAID systems.
My current thoughts are that we can probably get a 2-3 TB (S)ATA RAID system for around $10k. We can put that on a SunFire and either run Solaris 9 UFS with logging and snapshots, or possibly run Veritas filesystem on it.
I found more information on various web sites about the options for hardware RAID, and also found some anecdotal information about how well they work on Solaris. We sites to keep in mind:
Apparrently the packet shaper really doesn’t understand passive FTP.
I removed all the detailed classes for restricting FTP and just created a general FTP class. There’s no limitations on FTP servers anymore, but that’s as it has to be. Passive FTP looks to the Packet Shaper like active FTP to a server not on the allowed host list.
Spent the afternoon reading product glossies for a number of RAID devices.
If we can find a SCSI RAID box for $10k to $15k in the 1.5 to 3 TB range, we should be good. We can add it to approximately $5k worth of SunFire server and have a good NAS box with snapshots, a nice filesystem, and other good stuff. We might even want to use Veritas VxFS on it instead of UFS.
I added ipfilter and curl to the Moodle box.
Being pretty restrictive on ipfilter — only allowing http(s) and ssh in and only allowing established connections and ICMP out (aside from server net).
Curl is there to run the PHP cron scripts in Moodle.
Getting started with a test instance of Moodle today.
I reposessed a Dell OptiPlex with a 933 Pentium III and 512 MB of RAM to run FreeBSD on for the Moodle system. Installation was ok. Apparently 4.9 does have a bunch of precompiled packages, but you have to download them by hand from an FTP site; they’re not on a CD and accessing an FTP site through sysinstall gives you only about four packages.
All the requisite packages are in my home directory on the Moodle box. The only thing I had to compile from the ports tree is PHP. It requires the addition of a bunch of options and the loss of the MySQL option.
Pointing Moodle to the LDAP server is pretty straightforward. It points to the fact that I’d like to have more user information in LDAP, but that’s no fault of Moodle.
I spent some time this afternoon working on a Earlham theme for the Moodle look. It goes pretty well, at the basic level. I may want to expand on it, but maybe not.