Inventory System Administrator Documentation

The inventory system tracks CSCF and Computer Science equipment in a database. It can be accessed at https://cs.uwaterloo.ca/cscf/internal/inventory/. It is also used by MFCF.

System Specifications

Hardware

The CSCF Inventory system runs on our main web cluster, cs.uwaterloo.ca (https://cs.uwaterloo.ca/cscf/internal/inventory/), and our MySQL server, mysql.cs.uwaterloo.ca.

The MFCF version runs on our web cluster at a different url (https://cs.uwaterloo.ca/mfcf/inventory), using the same code as CSCF's, but with a configuration check to load from an MFCF database. See our main configuration file, detailed below.

Software

• Web Cluster information: CsWeb
• File Path corresponding to root URL:
  /var/www/cs.uwaterloo.ca/cscf/internal/inventory
• File Path of main configuration file:
  /var/www/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/config/main.php
• File Path of passwords:
  ~cs-inv/private/inventory/new-password.inc
• Web Framework log files:
  /var/www/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/runtime/application.log
• Database:
  • Stored on mysql.cs
  • Named "equipment"
  • Access is via command-line or phpMyAdmin - inventory uses mysql user 'equipment_app'

Automatically Updated tables

• The "aux_hosts" and "aux_domains" tables are updated by a systemd job run as user "cs-inv" on host "mc-3015-www-154" once an hour, on the hour. The php command, /u/cs-inv/infoblox-scripts/exportNetToDB.php, queries the Infoblox DNS database to produce a cache of records known to be part of the CS environment. It selects these hosts by looking for Extended Attribute Primary OU = 'CS'.

Authentication and Authorization

Authentication via the browser is handled by the university's Single Sign On ADFS. Your WatIAM credentials will give you access and your session will be valid until midnight. If you are not already logged in to ADFS, the inventory system will send you to adfs.uwaterloo.ca to prompt you for a username and password when you attempt to view one of its pages.

Architecture

The Inventory system is written in the PHP MVC framework 'Yii'. The main configuration file can be found at:
/u/cs-inv/l/inventory/web/inventory/protected/config/main.php

Due to the permissions model of flexsuexec, when this code is updated from revision control, it is important that executable PHP remain owned by user "cs-inv", with "u+xs" and "o-wx" permissions. Otherwise, end-users will see an error message in the form:
500 flexsuexec error 15: target CGI is too accessible: ... ServicesAjaxHandler.php

Dependencies

• mysql.cs database "equipment"
• mysql.cs database "rt-math-1"
• postgres.cs database "subscription"

It uses the Infoblox API to access Infoblox for DNS updates. This is done via SOAP calls within the code.

Inventory relies on API access to:

• icinga.cscf (/RT#1105012)
• ona (/ST#94757)
• NetMon (/RT#1118651)
• infoblox (see below)

The following systems depend on access to Inventory's SQL database:

• ST (connections from our web cluster)
  • read-only access to tables: inventory, inv_dns, inv_macaddress
• Research Subscription app (from our web cluster)
  • read-only access to view: inv_view
• Infrastructure: webpages: (from linux.cscf)
  • configuration file: /root/.document-IAAS-services/credentials.py ; code located in ~{cscf-admin,src}/{bin,src}
  • lxc container locations and Infrastructure as a service index
    • requires read-only access to tables: inventory, inv_dns, inv_macaddress
• Infrastructure: pxe auto-installation: (not production; from linux.cscf in ~a2brenna)
  • read-only access to tables: inventory, inv_dns, inv_macaddress
• Infrastructure: salt: (planned; from salt*.cscf)
  • read-write access to tables: inventory, inv_dns, inv_macaddress
• ...
• MFCF: equipment-1 package scripts
  • read-only access to tables: inventory, inv_dns, inv_macaddress and view inv_view

Manually refreshing the cache

Very occasionally the hourly cache refresh fails on mc-3015-www-154. If the database table "inventory.aux_hosts" column "local_update" has a timestamp older than an hour, this has happened.

In the past six years this has not been an issue with the code, rather with the web server running the process. If there is an issue with the code, then cs-inv@cs.uwaterloo.ca will start getting hourly error messages from the DNS-updating systemd job. If there is no error email, assume it's the server. Note that by ~cs-inv/.forward , cs-inv is currently set to (only) forward email to drallen@uwaterloo.ca which will need to be updated to include whomever is testing for update emails.

To diagnose/debug the problems (connection? pam stack?) try looking at /var/log/auth.log and/or other logs on that host.

The cache script itself can be run manually as /usr/bin/php /u/cs-inv/infoblox-scripts/exportNetToDB.php 2>&1

It should return with no errors (and will update the cache as described above).

People

See Also

Applications

• Inventory

Related ST Items

• 76671

Related TWiki Pages

• InventoryInstallation
• Inventory Developer Test Plan
• Inventory System Triage Documentation
• InventoryUserDocs
• VLAN Information
• Inventory Fields
• Inventory Schema
• CFPrivate.InventoryInfobloxCLIDocs
• Inventory Wish List Review 2016 May 19
• Inventory Monitoring Updates Spring 2019

Historical TWiki Pages

• Inventory Redesign Requirements
• Equipment Inventory
• Inventory User Docs Old Version 2

Related eDocs

• CFPrivate.CsWeb