Project

General

Profile

Support #15802

Milestone #15057: Minos SLF5 retirement

Support #15792: Individual Minos SLF5 node shutdowns

minosgpvm01 retirement

Added by Arthur Kreymer over 3 years ago. Updated almost 3 years ago.

Status:
Work in progress
Priority:
Normal
Start date:
03/08/2017
Due date:
10/01/2017
% Done:

50%

Estimated time:
10.00 h
Duration: 208

Description

Retire minosgpvm01 aka minos-slf5 by 2017 Oct 01

History

#1 Updated by Arthur Kreymer over 3 years ago

RITM0535672 03/08 minosgpvm01 SLF5 variance

minosgpvm01
Property Tag
7 Month

Reason for request

Minos needs a reference SLF5 interactive system for diagnosing unexpected issues that may be seen by Minos after the SLF6 migration.
Production processes have moved to SLF6 last year. but user code builds only moved in February.

Compensatory controls

Restrict incoming ssh access to minosgpvm03
____________________________

Controls were expanded

o Controls will be implemented by ECF/SSI as soon as the plan is approved,
well ahead of April 1

o User accounts will be limited to the Minos NIS group
maintained by ECF/SSI for the other Minos systems in GPCF.

o syslogs will be sent to clogger ( already set up )

o iptables will restrict incoming connections to ssh from minosgpvm03

o iptables will restrict outgoing connections to *.fnal.gov

o Existing NFS mounts will be maintained :

homesrv01.fnal.gov:/home
if-nas-0.fnal.gov:/minos/app
if-nas-0.fnal.gov:/nusoft/app
blue2:/fermigrid-app
blue2:/fermigrid-data
blue2:/fermigrid-fermiapp
blue3.fnal.gov:/minos/data
blue3:/nusoft/data
pnfs-stken:/pnfs/fs/usr/minos

o Minos will monitor user activity using ganglia and prochisotry
Activity will be tracked in RITM0536827
____________________________

Arthur Lee
Additional comments (customer communication) 2017-03-15 11:07:48
Approved by CSBoard until 9/8/2017.

#2 Updated by Arthur Kreymer over 3 years ago

  • Status changed from Accepted to Assigned

#3 Updated by Arthur Kreymer over 3 years ago

  • Status changed from Assigned to Work in progress

#4 Updated by Arthur Kreymer over 3 years ago

  • Status changed from Work in progress to Assigned
  • % Done changed from 0 to 50

#5 Updated by Arthur Kreymer over 3 years ago

RITM0542212 03/22 implement minosgpvm01 SLF5 controls

RITM0535672 granted minosgpvm01 permission to continue to run SLF5
through 2017/09/08, subject to compensatory controls.

Please implement the compensatory controls specified in RITM0535672
as soon as is convenient, well ahead of the April 1 SLF5 restrictions.
My summary of the controls specified in RITM0535672 :

o Controls will be implemented by ECF/SSI as soon as the plan is approved,
well ahead of April 1

o User accounts will be limited to the Minos NIS group 
maintained by ECF/SSI for the other Minos systems in GPCF.

o syslogs will be sent to clogger ( already set up )

o iptables will limit incoming connections to ssh from minosgpvm03

o iptables will limit outgoing connections to *.fnal.gov

o Existing NFS mounts will be maintained :

homesrv01.fnal.gov:/home
if-nas-0.fnal.gov:/minos/app
if-nas-0.fnal.gov:/nusoft/app
blue2:/fermigrid-app
blue2:/fermigrid-data
blue2:/fermigrid-fermiapp
blue3.fnal.gov:/minos/data
blue3:/nusoft/data
pnfs-stken:/pnfs/fs/usr/minos

o Minos will monitor user activity using ganglia and prochistory
Activity will be tracked in RITM0536827

o Several SSI administrative nodes will also need access.
Access to these SSI admin nodes is restricted to ECF staff only.

#6 Updated by Arthur Kreymer about 3 years ago

  • Status changed from Assigned to Work in progress

#7 Updated by Arthur Kreymer almost 3 years ago

RITM0599341 08/28 minosgpvm01 SLF5 variation through Dec 2017

TASK0104349 updated 09/18
The exemption was indeed put in and is set to expire on Jan 12th;
obviously this should be revisited at CSBoard in Dec if an extension is needed.



Also available in: Atom PDF