HPE Community
Operating System - HP-UX
1753447 Members
5100 Online
108794 Solutions
New Discussion юеВ

Ignite server

 
SOLVED
Go to solution
Fabian Brise├▒o
Esteemed Contributor

тАО06-12-2006 03:35 AM

тАО06-12-2006 03:35 AM

Ignite server


Hello. Good day to you all.

I have a question regarding security in an ignite sever environment.


I am installing an IGNITE SERVER; I have already installed the server and setup clients. Everything went fine.

I had to use REMSH in order to let the sever see the clients

I also had to edit the R.HOSTS file in each server (ignite sever and clients) to this end I used the root account I each server.

Having done this anyone who accesses the ignite server has a direct root access to each of the servers doing a simple TELNET . And this is my question enters into play.

How can I make mi ignite server more secure I know that patching the server and having a good password for root is a great start but what else can I do?

I created an account of a lesser level than root in each server, the username I created is ignite, but when I tried to run ignite it displays a message that тАЬYOU NEED SUPERUSER RIGHTS TO USE THIS APPLICATIONтАЭ, which leaves me back at the begging.
Knowledge is power.
0 Kudos
10 REPLIES 10
DCE
Honored Contributor

тАО06-12-2006 03:50 AM

тАО06-12-2006 03:50 AM

Solution

Re: Ignite server


If I remember correctly, you no longer need the .rhosts after Ignite is installed.

Ignite uses NFS to perform the backups once it is configured, and as long as /etc/exports is configured correctly the backup will work fine.

I have my systems run a weekly ignite backup via root's cron to the ignite server with the following command:
/opt/ignite/bin/make_net_recovery -s pegasus -n 2 -x inc_entire=vg00 > /tmp/ignite.results 2>&1

where pegasus is the ignite server. I do not have any .rhosts files on the systems.
0 Kudos
Steven E. Protter
Exalted Contributor

тАО06-12-2006 04:45 AM

тАО06-12-2006 04:45 AM

Re: Ignite server

Shalom,

One of the enhancements I've been asking for over the years is for Ignite to use openssh instead of the R-protocols.

Seems there has been some improvement but not total. An Ignite server brings many benefits, which you are aware of if you are configured. The cost is it can not be as secure as you wish.

I used to comment out the r-protocols in inetd.conf because they are only needed during Ignite operations. I'd reactivate them only when booting clients and it was needed. To do a make_net_recovery to nfs, there is no need for connectivity with the r-protocols. I think thats the essence of the first post.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Fabian Brise├▒o
Esteemed Contributor

тАО06-12-2006 09:22 AM

тАО06-12-2006 09:22 AM

Re: Ignite server

thanks for the quick response guys, i'll check thi out and get back to you in a few days.

thank you
Knowledge is power.
0 Kudos
Bill Hassell
Honored Contributor

тАО06-12-2006 09:53 AM

тАО06-12-2006 09:53 AM

Re: Ignite server

The 'r' command (remsh, rcp, rlogin) all require .rhosts at the remote system and yes, it is a big security risk. A better solution is the one you started with the ignite user, but run the ignite program(s) with sudo. You can download sudo from HP's software site:

https://h20293.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXIEXP1111

You can select one or more of the products to download for free. sudo should always be configured with specific commands for a given user (not ALL..)


Bill Hassell, sysadmin
0 Kudos
Fabian Brise├▒o
Esteemed Contributor

тАО06-30-2006 05:30 AM

тАО06-30-2006 05:30 AM

Re: Ignite server

sorry for the late response guys but the ignite server project was put on hold for a while.

You were right guys editing .rhosts is not necesary

But now im getting the following error when runnins make_net_recovery

gzip: stdout: File too large
ERROR: The gzip command failed (exit status 1).

ERROR: The make_sys_image command failed. The system recovery archive will
not be created

any ideas ?
Knowledge is power.
0 Kudos
Bill Hassell
Honored Contributor

тАО06-30-2006 06:52 AM

тАО06-30-2006 06:52 AM

Re: Ignite server

There is a file in the scope of your Ignite backup that is too large, probably greater than 2Gb. Since the make_tape_recovery command is designed to backup just the root volume group (OS and application directories), there should not be any large files in those directories. The backup tool cannot handle files larger than 2Gb.


Bill Hassell, sysadmin
0 Kudos
Fabian Brise├▒o
Esteemed Contributor

тАО06-30-2006 07:15 AM

тАО06-30-2006 07:15 AM

Re: Ignite server

There is a file in the scope of your Ignite backup that is too large, probably greater than 2Gb. Since the make_tape_recovery command is designed to backup just the root volume group (OS and application directories), there should not be any large files in those directories. The backup tool cannot handle files larger than 2Gb.

Hello.
I dont think its a file.. this error is happening with several servers, and the few servers that do work their image size is below 2GB.

Im only backuping up VG00 and exluding some filesystems that do not belong to the O.S.

Knowledge is power.
0 Kudos
Torsten.
Acclaimed Contributor

тАО06-30-2006 07:24 AM

тАО06-30-2006 07:24 AM

Re: Ignite server

Bill was talking about a single file within the vg00, not the whole image.

What ignite version?

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Dave Hutton
Honored Contributor

тАО06-30-2006 07:31 AM

тАО06-30-2006 07:31 AM

Re: Ignite server

The location where your archives are should have the largefiles on it.
A lot of our archives are 2 gigs+
So on your ignite server you just have to
fsadm -o largefiles /mntpoint where your archives are. By default it should be /var. But I sym link to a different filesystem in case it fills up from my images. Or if I need to grow the filesystem its just easier if the filesystem isn't a vg00 one.

Once you've added the largefiles, exportfs them again and it should work.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.