User managed servers
It is possible for users with rack-mountable servers to have those servers physically hosted in an AITS machine room, which has proper physical security, environmental control and monitoring, and redundant protected power.
System owners have the choice between having their system managed by AITS, or managing the system themselves. It is important to note that "user-managed" means just that: managed by you, the user.
Please read the table below, and decide whether to have your system managed by us (AITS-managed) or by you (User-managed).
AITS-managed system | User-managed system | |
SELECTION OF HARDWARE | Your hardware must conform to the requirements set out in the section below. We may impose additional requirements to ensure that we can run our standard O/S on your hardware. | Your hardware must conform to the requirements set out in the section below. |
H/W INSTALLATION | We will install the hardware, supply power, and cable the network, as well as configure the Lights-Out Management. | We will install the hardware, supply power, and cable the network, as well as configure the Lights-Out Management. |
MAINTENANCE CONTRACTS AND TROUBLESHOOTING | We will monitor and troubleshoot the hardware, and arrange for repairs when necessary, however, the system must be under warranty or under maintenance contract with the vendor. This means that when the warranty ends, you will be asked to shell out money to extend it or buy a maintenance contract, failing which, the system will be wiped and removed from our responsibility. | The hardware is your responsibility, as is contacting the vendor for any maintenance under warranty. We will supervise brief access to the server room for replacement of a part, but if extended troubleshooting is necessary, we will unmount the system and give it to you so you can work on it in your lab at your convenience, and we will physically reinstall it once you finish the repairs. |
ACCESS TO THE HARDWARE | You will not have any physical access to your hardware, as we will be taking care of all physical aspects for you. | You will in general not have physical access to your hardware. In most cases you will use the system's Lights-Out Management service to access the console and turn power on and off; see the sections below on remote console access and remote power management. In very exceptional cases (for example, equipment is defective and needs to be replaced), brief supervised access to the server room can be arranged. |
O/S INSTALLATION, CONFIGURATION, AND USER ACCOUNTS | We will install our standard Linux O/S, and configure it using our automated tools. The system will use the centralized set of ENCS accounts, but if you wish, we will restrict access to a list of users supplied by you. You will NOT have root access to your system. | You are responsible for installing and configuring the O/S, and for creating and managing user accounts. You will have full root access to your system. |
O/S PATCHING AND REBOOTS | We will patch the system with the latest updates at least monthly; we monitor security bulletins, and if serious vulnerabilities are reported, we may patch more often. We reserve the right to reboot the system during the monthly maintenance window, or, in an emergency, outside that window; our reboots are mandatory, and no exceptions are made. Your users must plan any long-running jobs in consequence. | You are responsible for keeping your system securely patched; the timing of any necessary reboots is up to you. |
SOFTWARE AVAILABILITY | Your system's users will benefit from the hundreds of software packages already in our central repository. Additional packages can usually be installed upon request. Occasionally, for specifically licensed software that you buy, we can install the software for you, directly on your system. | You are responsible for installing needed software onto your system. |
NFS ACCESS TO USER FILES | User home directories on the central fileserver, as well as group directories and "facdisk" space, are mounted onto the system, and fully available to your users. | It is not possible to supply NFS access to user files on the central fileserver. Your users will need to copy in the files they need. |
DATA BACKUPS | Your system's O/S and configuration, as well as some additional data (if present) are backed up daily; user files on our central fileserver are snapshotted considerably more frequently, and mirrored to another fileserver. Scratch space is NOT backed up. | You are responsible for making backups of your system, including user data. |
Requirements
In order to be hosted in an AITS machine room, a user-managed server must meet certain requirements:
- must be rack-mountable in a standard rack that is 19-inches (482.6 mm) wide and 30-inches (762 mm) deep; if your server exceeds 30 inches in length, you will be required to purchase an extra-deep rack to house your system
- must come with rails (those need to be purchased directly from the equipment manufacturer)
- must be capable of accepting IEC C14 to IEC C13 power cables rated at 200-240 VAC for loads up to 10 Amperes
- must have a redundant power supply (containing 2 power supply units inside it)
- must have an out-of-band management system; iLO (HP), Remote Supervisor Adapter (IBM), or DRAC (Dell)
If at all possible, please check your proposed server with us before creating the purchase order. It's a lot less expensive than having to make a change after the equipment has arrived.
Rules
Physical access is in general not available. You are expected to manage your machine(s) remotely by using a network-enabled KVM (which we supply) or your server's remote management interface (LOM, iLO), which you can use to load virtual media, and to power your system on and off.
In very exceptional cases (for example, equipment is defective and needs to be replaced), brief supervised access to the room can be arranged. Since visitors must be accompanied at all times, visits of consultants or technicians who need to work on the equipment must be coordinated in advance with AITS.
Whom to contact
To request that a server be hosted in an AITS machine room, for more information, or for pre-purchase assistance in configuring your system, please open a ticket with the Service Desk; it's helpful to mention in your message that your request should be brought to the "attention of ENCS SAG" (the System Administration Group).
Most modern computer systems have a LOM (Light-Out Management) port. If your system has this, we've networked it as "SYSTEMNAME.ulom.private" -- for example, if the hostname is "foobar.encs.concordia.ca", the LOM's name will be "foobar.ulom.private".
LOMs in "ulom.private" can be reached by ssh from the host "login.encs"; they are in private network space, which is reachable only from certain hosts. It is possible to allow access from particular workstations within the ENCS networks; to enable such access, the professor owning the equipment should open a service ticket to request access to "SYSTEMNAME.ulom.private" from "name of the workstation to be allowed".
Some older LOMs cannot use modern encryption algorithms. If your attempt to reach your LOM fails for this reason (use "ssh -v" to see what the problem is), you can use a workaround and specify an older encryption algorithm, for example:
ssh -v -o HostKeyAlgorithms=ssh-rsa SYSTEMNAME.ulom.private
You can also edit your .ssh/config file to specify the workaround so that you won't have to type it in every time, for example:
Host SYSTEMNAME.ulom.private
KexAlgorithms diffie-hellman-group1-sha1
HostkeyAlgorithms ssh-rsa
As indicated in the "requirements" section above, all servers newly installed in an AITS machine room must have an out-of-band management system (LOM, or "lights-out management"), which can be used (among other things) to turn power to the server on and off.
Some special-purpose devices, such as switches, are not available with a LOM, and there are a few old servers remaining which also don't have a LOM. In those cases only, owners of user-managed servers in EV007.215 may request that their system be connected to a remote-access KVM, which can be used to switch on/off outlets of PDUs supplying power to their machines.
Remote KVM access and authentication
You can log in to the remote KVM over the web, at the URL https://kvmswitch-um-2.ulom.private/ using your ENCS username and password.
Note 1: the KVM is in GCS private network space; if you are coming from a host offsite, you'll need to tunnel in. (What is an ssh tunnel and how does it work?)
Note 2: the remote KVM cannot handle passwords longer than 16 characters, so if your ENCS password is too long, you'll have to change it.
Remote KVM menu
When you've been successfully authenticated, in the left pane in your web browser, you will see something like this:
[-] WB6
[+] [03] WB5
[+] [04] WB5
For the purpose of this tutorial, let's assume that you have 2 servers named Server1 and Server2 that are mounted in rack WB5.
(WB6 is the rack housing the master KVM in the User-Managed rack row.)
The two instances of WB5 represent two ports of an auxiliary KVM in rack WB5 that is uplinked to the master KVM. Those duplicate port entries for rack WB5 allow up to two remote users to simultaneously use the KVM.
Clicking on '[+]' will open a list of KVM ports of your servers as well as any PDUs that power your systems. It might look like this:
[15] Server1
[16] Server2
[+] pdu-1-ups1
[+] pdu-1-ups2
Power control via remote KVM
The most direct way of controlling power to your servers is by clicking on Server1 or Server2 to bring up (in the center pane of the web page) a table titled Power Management that contains Station, Outlet, and Status information for your systems.
By clicking on the name of the outlet, you will be able to Power On, Power Off the outlet as well as Reboot your server.
If your server has more than one power supply, you will need to select all relevant outlets if you wish to completely power off your server.
You can press down the Ctrl or the Shift key to highlight multiple outlets on which to perform an action. You can also check the "[ ] Select All" box as a shortcut to selecting all outlets.
More information on remote KVM
If you would like to know more about the remote KVM, you can consult this URL to its User Guide:
http://www.apc.com/salestools/MLAN-8FUNY7/MLAN-8FUNY7_R1_EN.pdf
As indicated in the "requirements" section above, all servers newly installed in an AITS machine room must have an out-of-band management system (LOM, or "lights-out management"), which can be used (among other things) to access the graphical (or possible serial) console.
Some special-purpose devices, such as switches, are not available with a LOM, and there are a few old servers remaining which also don't have a LOM. In those cases only, owners of user-managed servers in EV007.215 may request that their system be connected to a Perle console server, if the device has a serial console.
Configuring your device console for use with a Perle console server
Line port settings for each Perle port are the following; you will need to use the same settings on your connected device:
- speed 9600
- terminal vt100
- flow none
- bits 8
- parity none
- stop 1
Perle console server access and authentication
The DNS name of the console server is "consuela.console.private" and it can be reached by SSH from a machine called "login.encs.concordia.ca" (you will need to first SSH to "login.encs" and from there you can SSH to the Perle console server).
When authenticating to the Perle, you will use the username and password that have been supplied to you by the System Administration Group (SAG). The password that you will use will be unique and different from your ENCS account's password.
The console server is very picky about the terminal emulation in the shell ('/encs/bin/tcsh') that originates the connection. Unless your TERM variable already is set to 'vt100', you will need to type 'setenv TERM vt100' before attempting an SSH connection to the Perle.
Perle console server menu
Once you've selected your system from the Perle menu, you may need to press ENTER a few times to get the console prompt of your device. If you want to go back to the Perle menu (to select another system or to log out), type the escape sequence %%menu . If you want to send a BREAK signal, the escape sequence is %%break .
More information on the Perle console server
Here is the URL to the Perle CS9000 console server User Guide, in case you want to learn more about this device: http://www.perle.com/support_services/documentation_pdfs/5500049.pdf