UNIX at SLAC
|Updated: August 15, 2007|
Taylor is a system for configuring a Unix workstation for use at SLAC.
Taylor performs initial setup of a workstation for the SLAC
environment, and then performs regular updates of the system to
incorporate updates and security fixes as the become available.
Taylor is currently available for Solaris and Linux, and there is limited
support for Mac OS X.
The tasks that taylor performs are:
You will need root access (either the root password or sudo permission) to run taylor on a workstation.
/etc/taylor.opts fileTaylor has many configuration options. Most are only for use on servers and are not appropriate or useful on workstations. The generally applicable options are documented in the man page taylor.opts(5).
Before running taylor, create a file named /etc/taylor.opts. The format of this file has one option per line. On/off options are set by just the option name and unset by prefixing the option name with 'no'. Options that take values have the value specified following an equals sign on the same line. Comments and blank lines are ignored. A template options file with common options in comments can be found in /afs/slac/package/taylor/taylor.opts. If you have AFS already installed on your machine, you can become root and copy it to /etc/taylor.opts and modify as appropriate. If you do not have AFS installed, click on the link above and use the browser's Save As... menu to save a copy on your machine and copy it from there into /etc.
Bootstrapping TaylorTaylor is available through AFS to SLAC machines. If you do not already have AFS installed, you will need to use the AFS/NFS translator to bootstrap the process. If you have the lynx browser installed on your system (default on RedHat Linux systems), you can easily bootstrap the process with the command
Taylor and /usr/localThe standard configuration at SLAC is to have /usr/local be a symlink to a common directory in AFS so that most machines share a common software configuration. If it is desired to have a private /usr/local directory on a machine, add the taylor option usrlocal=local to the /etc/taylor.opts file. Taylor itself is written to be independant of /usr/local.
Taylor and root privilegesTaylor has a concept of workgroups to govern who has privileges on a given machine. Administrator privilege is granted primarily with the sudo(1) command, and secondarily with the root passwords. Workgroups are set up by SCS in conjunction with departmental system administrators to help distribute administration tasks to the appropriate level. See the man page taylor.opts(5) for the currently defined workgroup names.
For each workgroup, there may be a defined set of people who have sudo privileges to perform administrative tasks. The privileges may be limited to specific tasks, or may extend full administative control of the machine. On all taylored machines, SCS staff members have sudo privileges so that they can perform administrative tasks on behalf of the users.
In a few workgroups, the departmental system administrators have the root password for all machines in the workgroup. In general, this is not necessary, since sudo covers almost all administration tasks. In all other workgroups, SCS holds the root password. SCS maintains a secondary root account on all machines, which is used for administrative and security tasks.
The special workgroup none may be specified in /etc/taylor.opts to cause taylor to leave the existing root password entry unchanged. Use of this option is discouraged by the SLAC Computer Security group.
Taylor and local accountsTaylor will do validation of standard administrative accounts such as bin, adm, and nobody that should be defined on all systems. These entries are checked for security loopholes. Some entries that can be used as backdoors to systems by hackers are removed.
Other local accounts are left unchanged by taylor. Local accounts should never be set up unneccessarily, since all SLAC accounts are valid for login on most taylored machines. Local accounts should only be defined in accordance with SLAC policy.
Taylor log filesTaylor traces its actions to stdout as it runs. When it runs as a daily cron job, it directs its output to the directory /var/adm/taylor/logs. Each log is named by the date and time that it ran. This log may be examined to see what actions taylor performed most recently.
As taylor replaces files on the machine, it diffs the new files with the versions that it replaces. The last 30 days of diffs are kept in the directory /var/adm/taylor/diffs. This log may be examined for details of the precise changes performed by taylor in each run.
Taylor normally sets itself up to run both as a cron job, and as a startup/shutdown script so that workstation that has been down for a time will be updated immediately.
Taylor can be run from the command line, either when an immediate
change is needed, or simply to test out what would happen when it
runs. The usual command would be taylor everything to
duplicate what the nightly cron job would do. To run a test job, add
the -verbose and -test options:
Documentation and informationThere are several man pages for taylor and information displays from taylor itself.
Owner: Chuck Boeheim