Difference between revisions of "Machine/justice"

From Sugar Labs
Jump to navigation Jump to search
(Add info about management cards)
 
(15 intermediate revisions by 5 users not shown)
Line 3: Line 3:
 
== Hostnames ==
 
== Hostnames ==
 
* justice.sugarlabs.org
 
* justice.sugarlabs.org
* freedom.sugarlas.org
+
* freedom.sugarlabs.org
  
=== Info ===
+
== Info ==
  
 
Freedom and Justice are two twin KVM hosts bought by Sugar Labs in 2012.
 
Freedom and Justice are two twin KVM hosts bought by Sugar Labs in 2012.
  
 
Justice is currently our primary VM hosting box, while freedom is a hot-standby running some secondary services in docker containers and backups.
 
Justice is currently our primary VM hosting box, while freedom is a hot-standby running some secondary services in docker containers and backups.
 +
 +
== Machines ==
 +
 +
The following machines services are hosted:
 +
 +
* [[Machine/lightwave]], [[Service/Nameservers]],
 +
* [[Machine/pootle]], [[Service/translate]],
 +
* [[Service/activities]] aslo,
 +
* [[Machine/library]],
 +
* [[Machine/aslo4]],
 +
* [[Machine/jita]], [[Service/git]], [[Service/jabber]], [[Service/meeting]], [[Service/obs]], [[Service/chat]], [[Service/cgit]], [[Service/blacklist]], [[Service/stats]],
  
 
== Hardware ==
 
== Hardware ==
Line 19: Line 30:
  
 
== Management ==
 
== Management ==
The two servers have awful SMT management cards from Supermicro:
+
The two servers have SMT management cards from Supermicro with a seriously awful web interface:
 
* [http://justice-mng.sugarlabs.org/ justice-mng.sugarlabs.org]
 
* [http://justice-mng.sugarlabs.org/ justice-mng.sugarlabs.org]
 
* [http://freedom-mng.sugarlabs.org/ freedom-mng.sugarlas.org]
 
* [http://freedom-mng.sugarlabs.org/ freedom-mng.sugarlas.org]
Full KVM support requires the Java browser plugin (yuck!), so we mostly use them for the big reset button in case a server hangs (it happened about once per year).
+
Of course you need a separate account. Full KVM support requires the Java browser plugin (yuck!), so we mostly use them for the big reset button in case a server hangs (it happened about once per year).
 +
 
 +
'''Use a long, unguessable password, but not one you're also using elsewhere! A few years ago, a backdoor was discovered in this firmware which would reveal all passwords in plaintext with a simple telnet! Also, login uses unencrypted http.'''
  
Both cards are running firmware version 3.16, which patched a huge backdoor that would trivially reveal all passwords in plaintext. No kidding.  There's a [https://www.supermicro.com/support/resources/bios_ipmi.php?vendor=2&keywords=H8S newer firmware version], but attempts to update to it failed with both Chrome and Firefox. I suspect a bug in their http POST implementation :-(
+
It's also possible to talk to the management card from Linux using ipmitool.
 +
 
 +
Both cards are running firmware version 3.16, which patched a huge backdoor that would trivially reveal all passwords in plaintext. No kidding.  There's a [https://www.supermicro.com/support/resources/bios_ipmi.php?vendor=2&keywords=H8S newer firmware version], but attempts to update to it failed with both Chrome and Firefox (error: "413 - Request Entity Too Large"). I suspect a bug in their http POST implementation :-(
  
 
== Software ==
 
== Software ==
* Ubuntu Precise (12.04) amd64  on justice
+
* Justice: Ubuntu 18.04 LTS Bionic
* Ubuntu 14.04 LTS on freedom
+
* Freedom: Ubuntu 18.04 LTS Bionic
  
 
== Location ==
 
== Location ==
Hosted by the [http://media.mit.edu/ MIT Media Lab], building E15.
+
Hosted by the [http://media.mit.edu/ MIT Media Lab] in server room E15-243.
  
 
== Admins ==
 
== Admins ==
* [[User:Bernie|Bernie Innocenti]], bernie on #sugar Freenode
+
* [[User:MrBIOS|Alex Perez]], aperezbios on #sugar libera.chat
* [[User:Scg|Samuel Cantero]], scg on #sugar Freenode
+
* [[User:Bernie|Bernie Innocenti]], bernie on #sugar libera.chat
* [[User:Dogi|Stefan Unterhauser]], dogi on #sugar or [http://mibbit.com/?channel=%23treehouse&server=irc.oftc.net #treehouse]
+
* [[User:Srevin03|Srevin Saju]], srevinsaju on #sugar on libera.chat
* [[User:SAMdroid|Sam]], samdroid on #sugar on Freenode
 
  
 
== Network configuration ==
 
== Network configuration ==
 
Justice is globally accessible through public, static IPv4.
 
Justice is globally accessible through public, static IPv4.
 
The IPv6 /64 subnet (6to4) is currently experimental and not associated with AAAA records.
 
The IPv6 /64 subnet (6to4) is currently experimental and not associated with AAAA records.
 
IPs 18.85.44.59-77 are available for hosted VMs.
 
  
 
== Hosted VMs ==
 
== Hosted VMs ==
All KVM virtual machines are managed by libvirtd. Yes, that's scary.
+
All KVM virtual machines are managed by libvirtd.
  
 
See [[Sysadmin/Add virtual machine]] for creating new VMs.
 
See [[Sysadmin/Add virtual machine]] for creating new VMs.
  
 
{{Special:PrefixIndex/{{PAGENAME}}/}}
 
{{Special:PrefixIndex/{{PAGENAME}}/}}

Latest revision as of 21:13, 2 July 2021

Hostnames

  • justice.sugarlabs.org
  • freedom.sugarlabs.org

Info

Freedom and Justice are two twin KVM hosts bought by Sugar Labs in 2012.

Justice is currently our primary VM hosting box, while freedom is a hot-standby running some secondary services in docker containers and backups.

Machines

The following machines services are hosted:

Hardware

  • 2U rack-mountable case
  • Motherboard Supermicro H8SGL (or maybe H8SGL-F)
  • 8-core Opteron 6212 @ 1.7GHz
  • 64GB RAM
  • 2x1TB RAID1

Management

The two servers have SMT management cards from Supermicro with a seriously awful web interface:

Of course you need a separate account. Full KVM support requires the Java browser plugin (yuck!), so we mostly use them for the big reset button in case a server hangs (it happened about once per year).

Use a long, unguessable password, but not one you're also using elsewhere! A few years ago, a backdoor was discovered in this firmware which would reveal all passwords in plaintext with a simple telnet! Also, login uses unencrypted http.

It's also possible to talk to the management card from Linux using ipmitool.

Both cards are running firmware version 3.16, which patched a huge backdoor that would trivially reveal all passwords in plaintext. No kidding. There's a newer firmware version, but attempts to update to it failed with both Chrome and Firefox (error: "413 - Request Entity Too Large"). I suspect a bug in their http POST implementation :-(

Software

  • Justice: Ubuntu 18.04 LTS Bionic
  • Freedom: Ubuntu 18.04 LTS Bionic

Location

Hosted by the MIT Media Lab in server room E15-243.

Admins

Network configuration

Justice is globally accessible through public, static IPv4. The IPv6 /64 subnet (6to4) is currently experimental and not associated with AAAA records.

Hosted VMs

All KVM virtual machines are managed by libvirtd.

See Sysadmin/Add virtual machine for creating new VMs.