Thread: Security Question

1. I notice that user "root" does not have a password set in mysql. I
assume if I set this it will break most of the scripts? Is this supported?

2. Not wanting dhcpd on the public network. By default kusu sets up a dhpc
for both cluster and public networks. Is there config option to not allow
dhpcd on the public network? (this would include having multiple public
interfaces) (I could block bootp with iptables but it would be cleaner not
to have dhpc on the public interface)

Thanks,
Mahmoud Hanafi
Sr. System Administrator
CSC HPC COE
Bld. 676
2435 Fifth Street
WPAFB, Ohio 45433
(937) 255-1536


Computer Sciences Corporation
Registered Office: 2100 East Grand Avenue, El Segundo California 90245,
USA
Registered in USA No: C-489-59

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hi Mahmoud

Yes by all means set the root password in mysql. The scripts use the =
apache and no user accounts. Apache for write access, and no user for =
select only.

You should only have dhcp on the provisioned networks. The script that =
generates the dhcpd.conf is in /opt/kusu/lib/plugins/genconfig/dhcpd.py
The query it uses should exclude those where network.type is not =
'provisioned'.

Try running:
# sqlrunner -q 'select netid,network,type from networks'
One (or more) should be public, and on these there should be no DHCP.

Is this an install from a yum repository?


Mark



-----Original Message-----
From: kusu-users-bounces@osgdc.org
[mailto:kusu-users-bounces@osgdc.org]On Behalf Of Mahmoud Hanafi
Sent: Thursday, February 28, 2008 2:03 PM
To: Users of Kusu
Subject: [Kusu-users] Security Question


1. I notice that user "root" does not have a password set in mysql. I=20
assume if I set this it will break most of the scripts? Is this =
supported?=20

2. Not wanting dhcpd on the public network. By default kusu sets up a =
dhpc=20
for both cluster and public networks. Is there config option to not =
allow=20
dhpcd on the public network? (this would include having multiple public=20
interfaces) (I could block bootp with iptables but it would be cleaner =
not=20
to have dhpc on the public interface)

Thanks,
Mahmoud Hanafi
Sr. System Administrator
CSC HPC COE
Bld. 676
2435 Fifth Street
WPAFB, Ohio 45433
(937) 255-1536


Computer Sciences Corporation=20
Registered Office: 2100 East Grand Avenue, El Segundo California 90245,=20
USA
Registered in USA No: C-489-59

-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
--------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please =

delete without copying and kindly advise us by e-mail of the mistake in=20
delivery.=20
NOTE: Regardless of content, this e-mail shall not operate to bind CSC =
to=20
any order or other contract unless pursuant to explicit written =
agreement=20
or government initiative expressly permitting the use of e-mail for such =

purpose.
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
--------------------------------------------------------------
_______________________________________________
Kusu-users mailing list
Kusu-users@osgdc.org
http://mail.osgdc.org/mailman/listinfo/kusu-users

Not sure If I understand the question "Installed from yum repo" Is in
regards to the compute node?

On a unrelated topic.
I am getting the following error in http error_log.

[date] [error] [client 192.168.0.5] File does not exits:
/var/www/html/repos/1000/disc1
.
.
Repeated many times

a unrelated question.
What http cgi url remove/changes the pxeconfig files from reinstall to
boot normal.


Mahmoud Hanafi
Sr. System Administrator
CSC HPC COE
Bld. 676
2435 Fifth Street
WPAFB, Ohio 45433
(937) 255-1536


Computer Sciences Corporation
Registered Office: 2100 East Grand Avenue, El Segundo California 90245,
USA
Registered in USA No: C-489-59

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




"Mark Black" <mblack@platform.com>
Sent by: kusu-users-bounces@osgdc.org
02/28/2008 02:30 PM
Please respond to
Users of Kusu <kusu-users@osgdc.org>


To
"Users of Kusu" <kusu-users@osgdc.org>
cc

Subject
RE: [Kusu-users] Security Question






Hi Mahmoud

Yes by all means set the root password in mysql. The scripts use the
apache and no user accounts. Apache for write access, and no user for
select only.

You should only have dhcp on the provisioned networks. The script that
generates the dhcpd.conf is in /opt/kusu/lib/plugins/genconfig/dhcpd.py
The query it uses should exclude those where network.type is not
'provisioned'.

Try running:
# sqlrunner -q 'select netid,network,type from networks'
One (or more) should be public, and on these there should be no DHCP.

Is this an install from a yum repository?


Mark



-----Original Message-----
From: kusu-users-bounces@osgdc.org
[mailto:kusu-users-bounces@osgdc.org]On Behalf Of Mahmoud Hanafi
Sent: Thursday, February 28, 2008 2:03 PM
To: Users of Kusu
Subject: [Kusu-users] Security Question


1. I notice that user "root" does not have a password set in mysql. I
assume if I set this it will break most of the scripts? Is this supported?


2. Not wanting dhcpd on the public network. By default kusu sets up a dhpc

for both cluster and public networks. Is there config option to not allow
dhpcd on the public network? (this would include having multiple public
interfaces) (I could block bootp with iptables but it would be cleaner not

to have dhpc on the public interface)

Thanks,
Mahmoud Hanafi
Sr. System Administrator
CSC HPC COE
Bld. 676
2435 Fifth Street
WPAFB, Ohio 45433
(937) 255-1536


Computer Sciences Corporation
Registered Office: 2100 East Grand Avenue, El Segundo California 90245,
USA
Registered in USA No: C-489-59

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
_______________________________________________
Kusu-users mailing list
Kusu-users@osgdc.org
http://mail.osgdc.org/mailman/listinfo/kusu-users
_______________________________________________
Kusu-users mailing list
Kusu-users@osgdc.org
http://mail.osgdc.org/mailman/listinfo/kusu-users

Hi Mahmoud

Just wanted to know if you installed from a DVD, which it sounds like =
you have.

I've logged the bug you are seeing about the error_log.

There are two things involved to change the pxeconfig.
/depot/repos/nodeboot.cgi this in turn calls the boothost tool which =
does the real work.

Mark=20


-----Original Message-----
From: kusu-users-bounces@osgdc.org
[mailto:kusu-users-bounces@osgdc.org]On Behalf Of Mahmoud Hanafi
Sent: Thursday, February 28, 2008 2:42 PM
To: Users of Kusu
Cc: Users of Kusu; kusu-users-bounces@osgdc.org
Subject: RE: [Kusu-users] Security Question


Not sure If I understand the question "Installed from yum repo" Is in=20
regards to the compute node?=20

On a unrelated topic.
I am getting the following error in http error_log.=20

[date] [error] [client 192.168.0.5] File does not exits:=20
/var/www/html/repos/1000/disc1
.
.
Repeated many times

a unrelated question.
What http cgi url remove/changes the pxeconfig files from reinstall to=20
boot normal.


Mahmoud Hanafi
Sr. System Administrator
CSC HPC COE
Bld. 676
2435 Fifth Street
WPAFB, Ohio 45433
(937) 255-1536


Computer Sciences Corporation=20
Registered Office: 2100 East Grand Avenue, El Segundo California 90245,=20
USA
Registered in USA No: C-489-59

-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
--------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please =

delete without copying and kindly advise us by e-mail of the mistake in=20
delivery.=20
NOTE: Regardless of content, this e-mail shall not operate to bind CSC =
to=20
any order or other contract unless pursuant to explicit written =
agreement=20
or government initiative expressly permitting the use of e-mail for such =

purpose.
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
--------------------------------------------------------------




"Mark Black" <mblack@platform.com>=20
Sent by: kusu-users-bounces@osgdc.org
02/28/2008 02:30 PM
Please respond to
Users of Kusu <kusu-users@osgdc.org>


To
"Users of Kusu" <kusu-users@osgdc.org>
cc

Subject
RE: [Kusu-users] Security Question






Hi Mahmoud

Yes by all means set the root password in mysql. The scripts use the=20
apache and no user accounts. Apache for write access, and no user for=20
select only.

You should only have dhcp on the provisioned networks. The script that=20
generates the dhcpd.conf is in /opt/kusu/lib/plugins/genconfig/dhcpd.py
The query it uses should exclude those where network.type is not=20
'provisioned'.

Try running:
# sqlrunner -q 'select netid,network,type from networks'
One (or more) should be public, and on these there should be no DHCP.

Is this an install from a yum repository?


Mark



-----Original Message-----
From: kusu-users-bounces@osgdc.org
[mailto:kusu-users-bounces@osgdc.org]On Behalf Of Mahmoud Hanafi
Sent: Thursday, February 28, 2008 2:03 PM
To: Users of Kusu
Subject: [Kusu-users] Security Question


1. I notice that user "root" does not have a password set in mysql. I=20
assume if I set this it will break most of the scripts? Is this =
supported?=20


2. Not wanting dhcpd on the public network. By default kusu sets up a =
dhpc=20

for both cluster and public networks. Is there config option to not =
allow=20
dhpcd on the public network? (this would include having multiple public=20
interfaces) (I could block bootp with iptables but it would be cleaner =
not=20

to have dhpc on the public interface)

Thanks,
Mahmoud Hanafi
Sr. System Administrator
CSC HPC COE
Bld. 676
2435 Fifth Street
WPAFB, Ohio 45433
(937) 255-1536


Computer Sciences Corporation=20
Registered Office: 2100 East Grand Avenue, El Segundo California 90245,=20
USA
Registered in USA No: C-489-59

-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
--------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please =

delete without copying and kindly advise us by e-mail of the mistake in=20
delivery.=20
NOTE: Regardless of content, this e-mail shall not operate to bind CSC =
to=20
any order or other contract unless pursuant to explicit written =
agreement=20
or government initiative expressly permitting the use of e-mail for such =

purpose.
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
--------------------------------------------------------------
_______________________________________________
Kusu-users mailing list
Kusu-users@osgdc.org
http://mail.osgdc.org/mailman/listinfo/kusu-users
_______________________________________________
Kusu-users mailing list
Kusu-users@osgdc.org
http://mail.osgdc.org/mailman/listinfo/kusu-users

_______________________________________________
Kusu-users mailing list
Kusu-users@osgdc.org
http://mail.osgdc.org/mailman/listinfo/kusu-users