CSIM Technical Notes

It seems that from time to time amanda will loose connection to some servers running Ubuntu.

In the daily amanda mail report, there will be lines like:

puffer1000 / lev 0 FAILED [Request to puffer1000 failed: timeout waiting for ACK]

and an amcheck -c on that host will return an error.

This can be cleared by restarting inetd on the affected servers:

sudo service inetd restart

or xinetd on firewall:

sudo service xinetd restart

There is a very twisted automation on Ubuntu that overwrite the contents of /etc/ined.conf (linked to update-inetd; they really have to mess up with everything) so I changed to using only xinetd.

When a virtual machine (VM) is created to be used/managed by a user, it should not persist when the use leaves AIT.

Proper naming of the VMs will allow the scripts that manage the user accounts to automatically back-up and delete the obsolete VMs.

The name of the VMs should be of the form:

1. In the simplest form, the name of the VM is the username, for example st12345
2. If one user needs more than one VM, the VM name can start with the username, followed by a space or - or _ and some number or index; for example st123456-2 or st123456 banana
3. Alternatively, it is possible to set the name of the owner of the VM in the VM notes; the line should be of the form owner=st123456
   Note that the check is very loose on this form, if the string owner=user matches, whatever follows that string is accepted.

Any VM that follow these conventions will be automatically backed-up in the user's homedirectory and deleted from the virtual server when the user's account expires.

enterprise-wifi.net is a very strong tool to create automatic configuration for eduroam. Once the eduroam profile has been created, auto-configuration scripts can be downloaded for Windows, Mac-OS and Linux (so far, no script is available for Android).

Safely configuring an eduroam profile by hand can be tricky as it requests very specific steps to be executed in a given order, eterprise-wifi.net is a great time and headache saver.

But it comes with some caveats.

Managing the administrators

Only Google accounts can create and manage profiles on enterprise-wifi.net. Furthermore, I could not find a way to assign the master administrator role to someone else: the use who first created the profile is the only one that can add administrators. When that user becomes invalid in Google, a totally new profile must be created from scratch.

The profile used for AIT/CSIM has been created by nicoleo@ait.asia

Managing the certificates

For a PEAP-MSCHAPv2 the profile must include a root certificate authority, even when you use a properly certified, and the infrastructure is able to provide all CA, root and intermediates.

As a consequence, if the CA included to the profile expire, the profile need to be generated anew and every device must install the new profile.

As of February 2022, we are using the following:

• Let's Encrypt intermediate CA, expires in September 2025;
• ISRG X1 intermediate CA, expire in September 2024;
• ISRG X1 self signed root CA, expires in June 2035.

The profile will have to be updated by September 2024.

The intermediate CAs are provided by Let's Encrypt when signing or renewing a certificate, the are in the file ca.cert; the root CA, I found it on Let's Encrypt web page about the chain of trust.

Dell PowerEdge R740 comes with the RAID controller PERC H750 and the drivers for this controller are not on the .iso installer for VMware ESXi 6.x.

I used the following method to install the hypervisor.

1. Create the virtual disk on the RAID controller;
2. Download the proper driver from VMware Compatibility Guide;
3. Connect a spare disk via USB or use an USB key, this will be used to do a temporary installation.
   

   Note: it is very important that the temporary disk or the USB key are smaller than the RAID volume created at step 1;

4. Install ESXi on the temporary disk or the USB key;
5. Install the driver for the RAID controller; it should be done with a command like:
   

   esxcli software vib install -d filename.zip

6. Boot the newly installed ESXi from the temporary disk or USB key; you should be able to go to the storage and see the RAID/PERC H750 volume;
   

   Note: it is very important that you create a different temporary install for each server (steps 4 and 5); if you clone one single image to several ESXi servers, you will have some UUID conflicts later;

7. Reboot the system with a live Linux;
8. Copy the system from the temporary disk or USB key to the RAID virtual disk, use a command like:
   

   dd if=/dev/sdx of=/dev/sdy

9. Remove the temporary disk or USB and reboot into the newly installed ESXi.

Other solution would be to install PowerCLI to prepare a new installation media that include the RAID driver.