Inventory System Administrator Documentation

The inventory system tracks CSCF and Computer Science equipment in a database. It can be accessed at https://cs.uwaterloo.ca/cscf/internal/inventory/. It is also used by MFCF.

System Specifications

Hardware

The CSCF Inventory system runs on our main webserver, www152.cs.uwaterloo.ca, and our MySQL server, mysql.cs.uwaterloo.ca.

The MFCF version runs on our webserver, using the same code as CSCF's, but with a configuration check to load from an MFCF database. See our main configuration file, detailed below.

Software

  • File Path corresponding to root URL:
    www152.cs:/software/odyssey-3_apache/data/vhosts/cs.uwaterloo.ca/cscf/internal/inventory
  • File Path of main configuration file:
    www152.cs:/software/odyssey-3_apache/data/vhosts/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/config/main.php
  • Apache Error log files:
    www152.cs:/software/odyssey-3_apache/logs/yyyy/mm/dd/www152-errors-cs-ssl
  • Web Framework log files:
    www152.cs:/software/odyssey-3_apache/data/vhosts/cs.uwaterloo.ca/cscf/internal/inventory/web/inventory/protected/runtime/application.log
  • Database:
    • Stored on mysql.cs
    • Named "equipment"
    • Access is via command-line or phpMyAdmin

Automatically Updated tables

  • The "aux_hosts" and "aux_domains" tables are updated by a cron job run as user "cs-inv" on host "ubuntu1604-102" once an hour, at 19 minutes past the hour, between 6:19 a.m. and 8:19 p.m. The php command, = /u/cs-inv/infoblox-scripts/exportNetToDB.php=, queries the Infoblox DNS database to produce a cache of records known to be part of the CS environment. It selects these hosts by looking for Extended Attribute Primary OU = 'CS'.

Authentication and Authorization

Authentication via the browser is handled by the university's Central Authentication Service (CAS). Your WatIAM credentials will give you access and your session will be valid until midnight. If you are not already logged in to CAS, the inventory system will prompt you for a username and password when you attempt to view one of its pages.

Architecture

The Inventory system is written in the PHP MVC framework 'Yii'. The main configuration file can be found at:
/u/cs-inv/l/inventory/web/inventory/protected/config/main.php

Due to the permissions model of flexsuexec, when this code is updated from revision control, it is important that executable PHP remain owned by user "cs-inv", with "u+xs" and "o-wx" permissions. Otherwise, end-users will see an error message in the form:
500 flexsuexec error 15: target CGI is too accessible: ... ServicesAjaxHandler.php
The only scripts that are run directly under the user's own permissions are in the "$ROOT/web/inventory/" directory. Currently, those scripts are:

  • index.php
  • ServicesAjaxHandler.php.

Dependencies

Inventory relies upon the following SQL databases:
  • mysql.cs database "equipment"
  • mysql.cs database "rt-math-1"
  • postgres.cs database "subscription"

It uses the Infoblox API to access Infoblox for DNS updates. This is done via SOAP calls within the code.

Inventory relies on API access to:

The following systems depend on access to Inventory's SQL database:

  • ST (connections from www152.cs)
    • read-only access to tables: inventory, inv_dns, inv_macaddress
  • Research Subscription app (from www152.cs)
    • read-only access to view: inv_view
  • Infrastructure: webpages: (from linux.cscf)
  • Infrastructure: pxe auto-installation: (not production; from linux.cscf in ~a2brenna)
    • read-only access to tables: inventory, inv_dns, inv_macaddress
  • Infrastructure: salt: (planned; from salt*.cscf)
    • read-write access to tables: inventory, inv_dns, inv_macaddress
  • ...
  • MFCF: equipment-1 package scripts
    • read-only access to tables: inventory, inv_dns, inv_macaddress and view inv_view

Manually refreshing the cache

Very occasionally the hourly cache refresh fails on ubuntu1604-102. If the database table "inventory.aux_hosts" column "local_update" has a timestamp older than an hour, this has happened.

In the past two years this has not been an issue with the code, rather with the server. If there is an issue with the code, then cs-inv@cs.uwaterloo.ca will start getting hourly error messages from the DNS-updating cron job. If there is no cron error email, assume it's the server.

You can diagnose/debug the problems (connection? pam stack?) by looking at /var/log/auth.log on that host.

The cache script itself can be run manually as /usr/bin/php /u/cs-inv/infoblox-scripts/exportNetToDB.php 2>&1

It should return with no errors (and will update the cache as described above).

People

Role Person(s)
Administrator Daniel Allen
Point of contact Daniel Allen
CSCF Staff Contact: cscf-staff@cs.uwaterloo.ca
MFCF Staff Contacts: Robyn Landers, Lori Seuss

See Also

Applications

Related ST Items

Related TWiki Pages

Historical TWiki Pages

Related eDocs

Topic revision: r55 - 2019-10-01 - DanielAllen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback