Workstations CPTE 433 Chapter 3 Adapted by John Beckett from The Practice of System & Network Administration by Limoncelli, Hogan, & Chalup 1.

1

Workstations

CPTE 433 Chapter 3Adapted by John Beckett

from The Practice of System & Network Administrationby Limoncelli, Hogan, &

Chalup

2

Define “Workstation”

• Used by a single individual– Or perhaps a kiosk used by a single individual

at a time– A lab computer is a form of kiosk– May be remotely used (yours, for example)

• There are many deployed• It is to our advantage to have them

identical– Easier to manage

• Need a carefully-defined life cycle

3

Managing Operating SystemsThree Tasks

1. Loading the system software and applications

2. Updating the system software and applications

3. Configuring network parameters

Automating these procedures is the key!

4

Evard’s Life Cycle of a Machine

Configured

Off

UnknownClean

New

Rebuild

Update

Debug

EntropyInitialize

Retire

Build

Figure 3.1

Only useful state

5

Lessons from Evard

• Identifiable states and transitions exist.

• The computer is usable only in the configured state.

• Negative state changes happen by themselves.

• CSA effort is required to make positive state changes.

• Automating positive state changes helps.

6

What is a “First Class Citizen?”

• A device that receives full support.• Other devices may get:

– Networking support– Limited-time support – “Best-effort” (ie, left-over time)

7

Why “promote” an undesired device or configuration?

• It is politically necessary to tolerate it.

• Botched installation/configuration by users is creating problems.

• Perhaps it is something you ought to learn to like!

8

Questions For Vendors

• How are SA processes automated in your product line?

• What is the deployment cost?– This must be added to what we have to

pay you, so it affects your competitive position.

9

Why Not Hand-Load Software?

• Mistakes. – It simply doesn’t work right because

someone got something wrong.• Non-uniformity.

– Each difference means we might have difficulty tracking down yet a different problem.

10

Is Your System Automated?

• “You just run this little script after the download…”

• Duh…that means somebody has to:– Wait until the download completes– Notice the download has completed– Run the script– Wait for the script to complete– Note that the script completed correctly

11

E.T. Call Home

The final step in a deployment script should be to send an email to the perpetrator giving…– Which machine this is– What script was run– Status details as of completion

12

How Do You Get There From Here?

• Document manual steps carefully• Package steps in a script• Proof the script

– Consider possible variations it might encounter

• Comment the script• This takes time

– …but if you’re doing the same thing a lot, it saves time

13

Partial Automation

• Document the process.• Make notes on the documentation.• Watch for opportunities to turn…

– a documented procedure – into an automated procedure

14

Vendor Installations

• You don’t know what’s really in there.• They may change their “standard”

installation without telling you.• You don’t know if you can replace it.

– Do you even have all the pieces (drivers especially?)

• If you didn’t install it and the vendor didn’t install it from your images, you don’t know what is there!

15

Update - Host is in a usable state

• You are changing the status from “configured” to “unknown” and then back.

• That’s two transitions, not one!

16

Update – The host is in an office

• Ideally you can do the update from your desk.

• In the case of heavy network traffic needed, you might wish to have a special room where hosts to be updated can be taken so that their traffic is isolated.

17

Update – No physical access

• Physical visits cost time and money.• A visit might not work because:

– The person might not be there.– The person might be in the middle of an

important task.– The whole office might be locked.

• Updates should be possible from wherever you are.

18

Updates – The host is already in use

• This is no time to do something that will mess it up!

• Have a backup plan in case of disaster.

19

Updates – The host may not be in a “known state.”

• Automation must be done more carefully than at initial load time.

• This is a good reason for “unknown” to be considered the same as “new”.

20

Updates in a 24x7 age

• The host may have “live” users– Can’t be taken down while they’re on.– SMS can hold updates until a user logs

off.– Bell Labs has an Auto Patch system for

the same purpose.• The host may be gone, e.g. laptop.• The host may be dual-boot.

21

Patch Propagation

A patch can actually create problems. So stage it:

• One machine.• A few more – perhaps other SAs.• Many.

– Save the automated update for the “many” stage.

22

What About Stop-Gaps?

• You have a need that isn’t on the standard load

• You implement the change

• Put it into a ticket!

23

Rogue DHCP Servers

• Router connected backwards• “I was just trying LINUX”

– And he loaded “everything” (and activated it.)

• Internet Connection Sharing– Example: Southern Village. Second NIC

in a student’s computer is used to connect to cable modem. He wishes to share the bandwidth with a friend in Talge.

24

Symptoms of a Rogue

• As machines are rebooted, they act strangely and sometimes don’t get an IP address.

• DHCP renewal often takes a surprisingly long time.

• Refreshed Ethernet links get strange addresses (which may or may not “work”).

25

Tracing a Rogue

Collect all information you can.• From a computer getting a bad IP address:

– What IP address were they getting?• (192.168.0.x may mean “D-link router”).

– What is the IP address of the DHCP server?– From another LINUX machine, use arp –a

• And “grep” for the IP address to pick up the MAC address.

• Temporarily turn off your DHCP server and refresh a workstation

26

“Sharing”

Computer 1

Wireless(shared)

Wired192.168.0.1

Hub or

Switch

Computer 1 has a wirelessConnection to the building’sNetwork so they can getthrough your firewall. That connection isshared so others can havethe same privilege.

Sharing means the other NICis now functioning as a DHCP server!

Now other machines inyour network may bereceiving DHCP from thiscomputer!

27

Another way to share

• Use Bridged sharing• Connects your network with

whatever network they’ve connected to– Connects the DHCP server on the

wireless network they are “sharing”, with your workstations

– So the rogue DHCP server is actually not in your building!

28

What Good is a MAC address?

• It may be in your database.– The machine has been “upgraded” to a

new one and somebody tried something with the old box.

• You can look up the Ethernet vendor to see what brand it is – narrowing down the field.

• Intelligent switches can be queried as to the physical location of a specific MAC.

• But remember, a MAC address can be changed or even spoofed.