-- Stanford Linear Accelerator Center

Taylor

SLAC Computing
UNIX at SLAC
Updated: August 15, 2007

-- Taylor is a system for configuring a Unix workstation for use at SLAC. Taylor performs initial setup of a workstation for the SLAC environment, and then performs regular updates of the system to incorporate updates and security fixes as the become available. Taylor is currently available for Solaris and Linux, and there is limited support for Mac OS X.

The tasks that taylor performs are:

  • Configure the network interfaces for the correct subnet at SLAC.
  • Set up network services such as NIS, DNS, NTP, and syslog correctly.
  • Install or update recommended software, including AFS, AMD, SSH, and LPRng.
  • Maintain the passwd and groups files for system accounts.
  • Setup for SLAC environment, including settings for Objectivity, Kanga, CERNLIB, and Oracle.

You will need root access (either the root password or sudo permission) to run taylor on a workstation.

Installing Taylor

/etc/taylor.opts file

Taylor has many configuration options. Most are only for use on servers and are not appropriate or useful on workstations. The generally applicable options are documented in the man page taylor.opts(5).

Before running taylor, create a file named /etc/taylor.opts. The format of this file has one option per line. On/off options are set by just the option name and unset by prefixing the option name with 'no'. Options that take values have the value specified following an equals sign on the same line. Comments and blank lines are ignored. A template options file with common options in comments can be found in /afs/slac/package/taylor/taylor.opts. If you have AFS already installed on your machine, you can become root and copy it to /etc/taylor.opts and modify as appropriate. If you do not have AFS installed, click on the link above and use the browser's Save As... menu to save a copy on your machine and copy it from there into /etc.

Bootstrapping Taylor

Taylor is available through AFS to SLAC machines. If you do not already have AFS installed, you will need to use the AFS/NFS translator to bootstrap the process. If you have the lynx browser installed on your system (default on RedHat Linux systems), you can easily bootstrap the process with the command lynx -source http://www/comp/unix/linux/go-taylor | sh You may also click on go-taylor and use Save As... to save that script on your machine, and then use the command sh go-taylor to run it.

Taylor and /usr/local

The standard configuration at SLAC is to have /usr/local be a symlink to a common directory in AFS so that most machines share a common software configuration. If it is desired to have a private /usr/local directory on a machine, add the taylor option usrlocal=local to the /etc/taylor.opts file. Taylor itself is written to be independant of /usr/local.

Taylor and root privileges

Taylor has a concept of workgroups to govern who has privileges on a given machine. Administrator privilege is granted primarily with the sudo(1) command, and secondarily with the root passwords. Workgroups are set up by SCS in conjunction with departmental system administrators to help distribute administration tasks to the appropriate level. See the man page taylor.opts(5) for the currently defined workgroup names.

For each workgroup, there may be a defined set of people who have sudo privileges to perform administrative tasks. The privileges may be limited to specific tasks, or may extend full administative control of the machine. On all taylored machines, SCS staff members have sudo privileges so that they can perform administrative tasks on behalf of the users.

In addition, the primary user of the workstation, as identified in CANDO can request sudo privileges on that machine by filling out the privilege request form.

In a few workgroups, the departmental system administrators have the root password for all machines in the workgroup. In general, this is not necessary, since sudo covers almost all administration tasks. In all other workgroups, SCS holds the root password. SCS maintains a secondary root account on all machines, which is used for administrative and security tasks.

The special workgroup none may be specified in /etc/taylor.opts to cause taylor to leave the existing root password entry unchanged. Use of this option is discouraged by the SLAC Computer Security group.

Taylor and local accounts

Taylor will do validation of standard administrative accounts such as bin, adm, and nobody that should be defined on all systems. These entries are checked for security loopholes. Some entries that can be used as backdoors to systems by hackers are removed.

Other local accounts are left unchanged by taylor. Local accounts should never be set up unneccessarily, since all SLAC accounts are valid for login on most taylored machines. Local accounts should only be defined in accordance with SLAC policy.

Taylor log files

Taylor traces its actions to stdout as it runs. When it runs as a daily cron job, it directs its output to the directory /var/adm/taylor/logs. Each log is named by the date and time that it ran. This log may be examined to see what actions taylor performed most recently.

As taylor replaces files on the machine, it diffs the new files with the versions that it replaces. The last 30 days of diffs are kept in the directory /var/adm/taylor/diffs. This log may be examined for details of the precise changes performed by taylor in each run.

Running Taylor

Taylor normally sets itself up to run both as a cron job, and as a startup/shutdown script so that workstation that has been down for a time will be updated immediately.

Taylor can be run from the command line, either when an immediate change is needed, or simply to test out what would happen when it runs. The usual command would be taylor everything to duplicate what the nightly cron job would do. To run a test job, add the -verbose and -test options:

taylor -test -verbose everything In this mode, taylor will report what it would have done, but not actually perform the action. The -verbose flag also makes it report on actions that it considered doing but were unnecessary, because the files were already up to date. There may occasionally be errors reported when running with the -test flag, for instance when one step creates a directory and a later step copies files to it; if the directory is not created because of the -test flag, the copy step will complain about the missing directory.

Documentation and information

There are several man pages for taylor and information displays from taylor itself.
man taylor
Describes the taylor tool, including command-line options, the various operations that can be included in a taylor script, and the taylor pre-processor language. This is primarily of interest to those writing new taylor scripts.
man taylor.opts
Describes the most commonly used taylor options in the taylor.opts file that would be used by workstation administrators.
man taylor.cf
Describes all taylor options and what they control. This includes specialized options that are only useful with specific servers.
taylor list
Displays a list of parts (tasks) that can be executed in your current environment.
taylor -d 3 printenv
Displays the current taylor options and environment, including default settings.
/var/adm/taylor
Directory of taylor logs and diffs for an individual machine.
/afs/slac.stanford.edu/g/scs/systems/report/hostrpt
Summary of information about all taylored machines at SLAC.

Owner: Chuck Boeheim