Inventory System Administrator Documentation
The inventory system tracks CSCF and Computer Science equipment in a database. It can be accessed at
https://cs.uwaterloo.ca/cscf/internal/inventory/. It is also used by MFCF.
System Specifications
Hardware
The CSCF Inventory system runs on our main web cluster,
cs.uwaterloo.ca
(
https://cs.uwaterloo.ca/cscf/internal/inventory/), and our MySQL server,
mysql.cs.uwaterloo.ca
.
The MFCF version runs on our web cluster at a different url (
https://cs.uwaterloo.ca/mfcf/inventory), using the same code as CSCF's, but with a configuration check to load from an MFCF database. See our
main configuration file, detailed below.
Software
- Web Cluster information: CsWeb
- File Path corresponding to root URL:
/var/www/cs.uwaterloo.ca/cscf/internal/inventory
- File Path of main configuration file:
/var/www/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/config/main.php
- File Path of passwords:
~cs-inv/private/inventory/new-password.inc
- Web Framework log files:
/var/www/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/runtime/application.log
- Database:
- Stored on mysql.cs
- Named "equipment"
- Access is via command-line or phpMyAdmin - inventory uses mysql user 'equipment_app'
Automatically Updated tables
- The "aux_hosts" and "aux_domains" tables are updated by a systemd job run as user "cs-inv" on host "mc-3015-www-154" once an hour, on the hour. The php command,
/u/cs-inv/infoblox-scripts/exportNetToDB.php
, queries the Infoblox DNS database to produce a cache of records known to be part of the CS environment. It selects these hosts by looking for Extended Attribute Primary OU = 'CS'
.
Authentication and Authorization
Authentication via the browser is handled by the university's Single Sign On
ADFS. Your WatIAM credentials will give you access and your session will be valid until midnight. If you are not already logged in to
ADFS, the inventory system will send you to adfs.uwaterloo.ca to prompt you for a username and password when you attempt to view one of its pages.
Architecture
The Inventory system is written in the PHP MVC framework '
Yii'. The main configuration file can be found at:
/u/cs-inv/l/inventory/web/inventory/protected/config/main.php
Due to the permissions model of
flexsuexec, when this code is updated from revision control, it is important that executable PHP remain owned by user "cs-inv", with "u+xs" and "o-wx" permissions. Otherwise, end-users will see an error message in the form:
500 flexsuexec error 15: target CGI is too accessible: ... ServicesAjaxHandler.php
Dependencies
Inventory relies upon the following SQL databases:
- mysql.cs database "equipment"
- mysql.cs database "rt-math-1"
- postgres.cs database "subscription"
It uses the Infoblox API to access Infoblox for DNS updates. This is done via SOAP calls within the code.
Inventory relies on API access to:
The following systems depend on access to Inventory's SQL database:
- ST (connections from our web cluster)
- read-only access to tables:
inventory, inv_dns, inv_macaddress
- Research Subscription app (from our web cluster)
- read-only access to view:
inv_view
- Infrastructure: webpages: (from
linux.cscf
)
- Infrastructure: pxe auto-installation: (not production; from
linux.cscf
in ~a2brenna
)
- read-only access to tables:
inventory, inv_dns, inv_macaddress
- Infrastructure: salt: (planned; from
salt*.cscf
)
- read-write access to tables:
inventory, inv_dns, inv_macaddress
- ...
- MFCF: equipment-1 package scripts
- read-only access to tables:
inventory, inv_dns, inv_macaddress
and view inv_view
Manually refreshing the cache
Very occasionally the hourly cache refresh fails on mc-3015-www-154. If the database table "inventory.aux_hosts" column "local_update" has a timestamp older than an hour, this has happened.
In the past six years this has not been an issue with the code, rather with the web server running the process. If there is an issue with the code, then
cs-inv@cs.uwaterloo.ca will start getting hourly error messages from the DNS-updating systemd job. If there is no error email, assume it's the server. Note that by
~cs-inv/.forward
, cs-inv is currently set to (only) forward email to
drallen@uwaterloo.ca which will need to be updated to include whomever is testing for update emails.
To diagnose/debug the problems (connection? pam stack?) try looking at /var/log/auth.log and/or other logs on that host.
The cache script itself can be run manually as
/usr/bin/php /u/cs-inv/infoblox-scripts/exportNetToDB.php 2>&1
It should return with no errors (and will update the cache as described above).
People
See Also
Applications
Related ST Items
Related TWiki Pages
Historical TWiki Pages
Related eDocs