Inventory System Administrator Documentation

The inventory system tracks CSCF and Computer Science equipment in a database. It can be accessed at https://cs.uwaterloo.ca/cscf/internal/inventory/. It is also used by MFCF.

System Specifications

Hardware

The CSCF Inventory system runs on our main web cluster, cs.uwaterloo.ca (https://cs.uwaterloo.ca/cscf/internal/inventory/), and our MySQL server, mysql.cs.uwaterloo.ca.

The MFCF version runs on our web cluster at a different url (https://cs.uwaterloo.ca/mfcf/inventory), using the same code as CSCF's, but with a configuration check to load from an MFCF database. See our main configuration file, detailed below.

Software

  • Web Cluster information: CsWeb
  • File Path corresponding to root URL:
    /var/www/cs.uwaterloo.ca/cscf/internal/inventory
  • File Path of main configuration file:
    /var/www/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/config/main.php
  • File Path of passwords:
    ~cs-inv/private/inventory/new-password.inc
  • Web Framework log files:
    /var/www/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/runtime/application.log
  • Database:
    • Stored on mysql.cs
    • Named "equipment"
    • Access is via command-line or phpMyAdmin - inventory uses mysql user 'equipment_app'

Automatically Updated tables

  • The "aux_hosts" and "aux_domains" tables are updated by a systemd job run as user "cs-inv" on host "mc-3015-www-154" once an hour, on the hour. The php command, /u/cs-inv/infoblox-scripts/exportNetToDB.php, queries the Infoblox DNS database to produce a cache of records known to be part of the CS environment. It selects these hosts by looking for Extended Attribute Primary OU = 'CS'.

Authentication and Authorization

Authentication via the browser is handled by the university's Single Sign On ADFS. Your WatIAM credentials will give you access and your session will be valid until midnight. If you are not already logged in to ADFS, the inventory system will send you to adfs.uwaterloo.ca to prompt you for a username and password when you attempt to view one of its pages.

Architecture

The Inventory system is written in the PHP MVC framework 'Yii'. The main configuration file can be found at:
/u/cs-inv/l/inventory/web/inventory/protected/config/main.php

Due to the permissions model of flexsuexec, when this code is updated from revision control, it is important that executable PHP remain owned by user "cs-inv", with "u+xs" and "o-wx" permissions. Otherwise, end-users will see an error message in the form:
500 flexsuexec error 15: target CGI is too accessible: ... ServicesAjaxHandler.php

Dependencies

Inventory relies upon the following SQL databases:
  • mysql.cs database "equipment"
  • mysql.cs database "rt-math-1"
  • postgres.cs database "subscription"

It uses the Infoblox API to access Infoblox for DNS updates. This is done via SOAP calls within the code.

Inventory relies on API access to:

The following systems depend on access to Inventory's SQL database:

  • ST (connections from our web cluster)
    • read-only access to tables: inventory, inv_dns, inv_macaddress
  • Research Subscription app (from our web cluster)
    • read-only access to view: inv_view
  • Infrastructure: webpages: (from linux.cscf)
  • Infrastructure: pxe auto-installation: (not production; from linux.cscf in ~a2brenna)
    • read-only access to tables: inventory, inv_dns, inv_macaddress
  • Infrastructure: salt: (planned; from salt*.cscf)
    • read-write access to tables: inventory, inv_dns, inv_macaddress
  • ...
  • MFCF: equipment-1 package scripts
    • read-only access to tables: inventory, inv_dns, inv_macaddress and view inv_view

Manually refreshing the cache

Very occasionally the hourly cache refresh fails on mc-3015-www-154. If the database table "inventory.aux_hosts" column "local_update" has a timestamp older than an hour, this has happened.

In the past six years this has not been an issue with the code, rather with the web server running the process. If there is an issue with the code, then cs-inv@cs.uwaterloo.ca will start getting hourly error messages from the DNS-updating systemd job. If there is no error email, assume it's the server. Note that by ~cs-inv/.forward , cs-inv is currently set to (only) forward email to drallen@uwaterloo.ca which will need to be updated to include whomever is testing for update emails.

To diagnose/debug the problems (connection? pam stack?) try looking at /var/log/auth.log and/or other logs on that host.

The cache script itself can be run manually as /usr/bin/php /u/cs-inv/infoblox-scripts/exportNetToDB.php 2>&1

It should return with no errors (and will update the cache as described above).

People

Role Person(s)
Administrator Daniel Allen
Point of contact Daniel Allen
CSCF Staff Contact: cscf-staff@cs.uwaterloo.ca
MFCF Staff Contacts: Robyn Landers, Lori Seuss

See Also

Applications

Related ST Items

Related TWiki Pages

Historical TWiki Pages

Related eDocs

Edit | Attach | Watch | Print version | History: r57 < r56 < r55 < r54 < r53 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r57 - 2022-05-04 - DanielAllen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback