Difference between revisions of "Machine/justice"

From Sugar Labs
Jump to navigation Jump to search
Line 19: Line 19:
  
 
== Management ==
 
== Management ==
The two servers have awful SMT management cards from Supermicro:
+
The two servers have SMT management cards from Supermicro with a seriously awful web interface:
 
* [http://justice-mng.sugarlabs.org/ justice-mng.sugarlabs.org]
 
* [http://justice-mng.sugarlabs.org/ justice-mng.sugarlabs.org]
 
* [http://freedom-mng.sugarlabs.org/ freedom-mng.sugarlas.org]
 
* [http://freedom-mng.sugarlabs.org/ freedom-mng.sugarlas.org]
Full KVM support requires the Java browser plugin (yuck!), so we mostly use them for the big reset button in case a server hangs (it happened about once per year).
+
Of course you need a separate account. Full KVM support requires the Java browser plugin (yuck!), so we mostly use them for the big reset button in case a server hangs (it happened about once per year).
  
Both cards are running firmware version 3.16, which patched a huge backdoor that would trivially reveal all passwords in plaintext. No kidding.  There's a [https://www.supermicro.com/support/resources/bios_ipmi.php?vendor=2&keywords=H8S newer firmware version], but attempts to update to it failed with both Chrome and Firefox. I suspect a bug in their http POST implementation :-(
+
'''Use a long, non guessable password, but not one you're using elsewhere. This firmware used to have a backdoor which would trivially reveal all passwords in plaintext via telnet! Also, login uses unencrypted http.'''
 +
 
 +
It's also possible to talk to the management card from Linux using ipmitool.
 +
 
 +
Both cards are running firmware version 3.16, which patched a huge backdoor that would trivially reveal all passwords in plaintext. No kidding.  There's a [https://www.supermicro.com/support/resources/bios_ipmi.php?vendor=2&keywords=H8S newer firmware version], but attempts to update to it failed with both Chrome and Firefox (error: "413 - Request Entity Too Large"). I suspect a bug in their http POST implementation :-(
  
 
== Software ==
 
== Software ==

Revision as of 07:32, 27 June 2018

Hostnames

  • justice.sugarlabs.org
  • freedom.sugarlas.org

Info

Freedom and Justice are two twin KVM hosts bought by Sugar Labs in 2012.

Justice is currently our primary VM hosting box, while freedom is a hot-standby running some secondary services in docker containers and backups.

Hardware

  • 2U rack-mountable case
  • Motherboard Supermicro H8SGL (or maybe H8SGL-F)
  • 8-core Opteron 6212 @ 1.7GHz
  • 64GB RAM
  • 2x1TB RAID1

Management

The two servers have SMT management cards from Supermicro with a seriously awful web interface:

Of course you need a separate account. Full KVM support requires the Java browser plugin (yuck!), so we mostly use them for the big reset button in case a server hangs (it happened about once per year).

Use a long, non guessable password, but not one you're using elsewhere. This firmware used to have a backdoor which would trivially reveal all passwords in plaintext via telnet! Also, login uses unencrypted http.

It's also possible to talk to the management card from Linux using ipmitool.

Both cards are running firmware version 3.16, which patched a huge backdoor that would trivially reveal all passwords in plaintext. No kidding. There's a newer firmware version, but attempts to update to it failed with both Chrome and Firefox (error: "413 - Request Entity Too Large"). I suspect a bug in their http POST implementation :-(

Software

  • Justice: Ubuntu 14.04 LTS (needs update)
  • Freedom: Ubuntu 14.04 LTS (needs update)

Location

Hosted by the MIT Media Lab, building E15.

Admins

Network configuration

Justice is globally accessible through public, static IPv4. The IPv6 /64 subnet (6to4) is currently experimental and not associated with AAAA records.

IPs 18.85.44.59-77 are available for hosted VMs.

Hosted VMs

All KVM virtual machines are managed by libvirtd.

See Sysadmin/Add virtual machine for creating new VMs.