Inventory System Administrator Documentation

The inventory system tracks CSCF and Computer Science equipment in a database. It can be accessed at https://cs.uwaterloo.ca/cscf/internal/inventory/. It is also used by MFCF.

System Specifications

Hardware

The CSCF Inventory system runs on our main webserver, www152.cs.uwaterloo.ca, and our MySQL server, mysql.cs.uwaterloo.ca.

The MFCF version runs on our webserver, using the same code as CSCF's, but with a configuration check to load from an MFCF database. See our main configuration file, detailed below.

Software

  • File Path corresponding to root URL:
    www152.cs:/software/odyssey-3_apache/data/vhosts/cs.uwaterloo.ca/cscf/internal/inventory
  • File Path of main configuration file:
    www152.cs:/software/odyssey-3_apache/data/vhosts/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/config/main.php
  • Apache Error log files:
    www152.cs:/software/odyssey-3_apache/logs/yyyy/mm/dd/www152-errors-cs-ssl
  • Web Framework log files:
    www152.cs:/software/odyssey-3_apache/data/vhosts/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/runtime/application.log
  • Database:
    • Stored on mysql.cs
    • Named "equipment"
    • Access is via command-line or phpMyAdmin

Automatically Updated tables

  • The "aux_hosts" and "aux_domains" tables are updated by a cron job run as user "cs-inv" on host "www152.cs" once an hour, at 19 minutes past the hour, between 6:19 a.m. and 8:19 p.m. The Perl command, /u/cs-inv/infoblox-scripts/exportNetToDB.pl, queries the Infoblox DNS database to produce a cache of records known to be part of the CS environment. It selects these hosts by looking for Extended Attribute Primary OU = 'CS'.

Authentication and Authorization

Authentication via the browser is handled by the university's Central Authentication Service (CAS). Your WatIAM credentials will give you access and your session will be valid until midnight. If you are not already logged in to CAS, the inventory system will prompt you for a username and password when you attempt to view one of its pages.

Architecture

The Inventory system is written in the PHP MVC framework 'Yii'. The main configuration file can be found at:
/u/cs-inv/l/inventory/web/inventory/protected/config/main.php

Due to the permissions model of flexsuexec, when this code is updated from revision control, it is important that executable PHP remain owned by user "cs-inv", with "u+xs" and "o-wx" permissions. Otherwise, end-users will see an error message in the form:
500 flexsuexec error 15: target CGI is too accessible: ... ServicesAjaxHandler.php
The only scripts that are run directly under the user's own permissions are in the "$ROOT/web/inventory/" directory. Currently, those scripts are:

  • index.php
  • ServicesAjaxHandler.php.

Dependencies

Inventory relies upon the following SQL databases:
  • mysql.cs database "equipment"
  • mysql.cs database "rt-math-1"
  • postgres.cs database "subscription"

It uses the Infoblox API to access Infoblox for DNS updates. This is done via a Perl layer (the PHP calling scripts contained in the "/u/cs-inv/infoblox-scripts" directory).

Inventory relies on API access to:

The following systems depend on access to Inventory's SQL database:

  • ST (connections from www152.cs)
    • read-only access to tables: inventory, inv_dns, inv_macaddress
  • Research Subscription app (from www152.cs)
    • read-only access to view: inv_view
  • Infrastructure: webpages: (from linux.cscf)
  • Infrastructure: pxe auto-installation: (not production; from linux.cscf in ~a2brenna)
    • read-only access to tables: inventory, inv_dns, inv_macaddress
  • Infrastructure: salt: (planned; from salt*.cscf)
    • read-write access to tables: inventory, inv_dns, inv_macaddress
  • ...
  • MFCF: equipment-1 package scripts
    • read-only access to tables: inventory, inv_dns, inv_macaddress and view inv_view

Updating the Infoblox Library

When cs-inv@cs.uwaterloo.ca starts getting hourly error messages from the DNS-updating cron job that look like this:

API returned: The version of perl module [...] doesn't match the server version [...]

…Infoblox has been upgraded and we need to update the Infoblox Perl library to match. Hopefully we can anticipate this event, because (if they are sizable upgrades) IST announces on maintain-users@lists.uwaterloo.ca when Infoblox will go down for an upgrade.

Here is how to update the Perl library.

  1. Visit https://nsbuild.uwaterloo.ca/api/dist/CPAN/authors/id/INFOBLOX/ to find the name of the file to download. It will be a gzipped file with a name consisting of the prefix "Infoblox-", a version number, and the suffixes ".tar.gz".
    We will use Infoblox-6.0080030219496.tar.gz as an example.
  2. On www152.cs (not linux.cs), enter these commands, substituting the latest Infoblox version number as needed:
    1. su - cs-inv
    2. cd work/infoblox
    3. wget https://nsbuild.uwaterloo.ca/api/dist/CPAN/authors/id/INFOBLOX/Infoblox-6.0080030219496.tar.gz
    4. tar -xzvf Infoblox-6.0080030219496.tar.gz (Be sure to specify the right one!)
    5. cd Infoblox-6.0080030219496
    6. perl Makefile.PL INSTALL_BASE=/u/cs-inv/infoblox-scripts/
    7. make (Generates lots of output—largely .pod documentation manification)
    8. make test
    9. make install (Generates lots of output)

The result is an upgrade installed in the location expected by the crontab and updating scripts, which is:%br% /u/cs-inv/infoblox-scripts/lib

As a test you can try running:
~/infoblox-scripts/ibclispeedy -e 'show host scspc545.cs.uwaterloo.ca';
This should return with about 20 lines of details for host scspc545.cs. If, instead, you see an error such as:
Error : API returned : Creating session with the server failed. (1006)
…you will need to kill all running "speedy" processes like this:

(drallen)@www152% ps aux|grep speedy
cs-inv   41166  0.0  0.0 200876 156624 ?       Ss   10:06   0:01 /usr/bin/speedy_backend /u/cs-inv/infoblox-scripts/ibclispeedy -e conf zone "" del host imac358.student.cs.uwaterloo.ca
cs-inv   41167  0.0  0.0 233596 165660 ?       S    10:06   0:00 /usr/bin/speedy_backend /u/cs-inv/infoblox-scripts/ibclispeedy -e conf zone "" del host imac358.student.cs.uwaterloo.ca
cs-inv   45489  0.0  0.0   9388   912 pts/0    S+   11:19   0:00 grep speedy
(drallen)@www152% kill 41167 41166
[...]

Then, re-running the above "ibclispeedy" test should succeed. If it does not, check for "speedy" processes again, kill them, and retest until the text succeeds.

When the test succeeds, run:
/u/cs-inv/infoblox-scripts/exportNetToDB.pl
…which should return after approximately 5 minutes with no output or errors. This will update the inventory cache of CS DNS information, which normally won't run again until 19 minutes after the hour.

People

Role Person(s)
Administrator Daniel Allen
Point of contact Daniel Allen
CSCF Staff Contact: cscf-staff@cs.uwaterloo.ca
MFCF Staff Contacts: Robyn Landers, Lori Seuss

See Also

Applications

Related ST Items

Related TWiki Pages

Historical TWiki Pages

Related eDocs

Topic revision: r54 - 2019-07-29 - DanielAllen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback