Carnegie Mellon University School of Computer Science

Linux (Dragon) Management Environment

There are more than a thousand Linux workstations throughout the School of Computer Science. In order to provide functional and scalable management, SCS Computing Facilities ISCSF_ has implemented a customized environment as well as deployed Linux distributions with customizations specific to our environment. This computing environment is known as "Dragon", after the dragon in the logo of the School of Computer Science.

The SCSCF Dragon computing environment attempts to adhere as much as possible to what a user would get from installing a stock system from the vendor's installation method. Dragon will only very rarely install additional software that is not present in a "vanilla" install, as there are often many different choices of software available from the vendor for a particular computing task. The only exceptions to this philosophy are when a particular piece of non-default software is required to be present and/or configured a particular way to interact with core SCS services (for example: Kerberos or Printing) or when the default absence of a particular piece of software or configuration option results in a security vulnerability (for example: Dragon Ubuntu systems come with fail2ban — a log-scanner/firewall-blacklister — installed and enabled by default to prevent brute-force password-guessing attempts via SSH.)

Because the SCSCF Dragon environment only installs the stock vendor software choices, and because there can be countless software options for a particular computing task, Dragon primarily relies on the operating system vendor for security and bugfix updates. SCSCF can and will provide security and bugfix updates for stock, core software if the vendor is not timely enough in releasing an update, but non-default software is left to the vendor to fix.

Modifications

Modifications and additions that have been made to the stock vendor environment on Unix/Linux hosts running SCSCF Dragon include:

  • OS and vendor-provided software updates are pulled from a local mirror of the distribution vendor's package repository. This mirror lives on the SCS network to provide reliability and conserve bandwidth.
  • Hosts are configured to run the vendor's automatic software upgrade system nightly.
  • An additional software repository is configured which contains locally-modified or patched versions of vendor-provided software, in order to provide timely response to security problems or bug fixes. These updates are provided in the vendor's package format, and are integrated into the standard OS package management systems.
  • Configuration is installed that grants SCS Computing Facilities staff access to the host for system maintenance and troubleshooting.
  • Many system configuration files get the majority of their defaults from the OS vendor, but Facilities provides a few tweaks that are merged into the existing system configuration. The automated configuration-merging systems also take care to preserve any user or local administrator changes away from the vendor or Facilities defaults.
  • The vendor's AFS client is installed as the standard means for providing central file services.
  • Kerberos support is enabled for many services by default.
  • The mail system has been configured to forward all mail to the central mail system.
  • A daemon is installed to provide desktop backups (on machines that request them)
  • SUP & Depot are installed to provide nightly updates of locally-written software (mostly cross-platform system administration utilities used by Facilities for automated management of a large number of systems)

For the most part, host-specific customizations can be done according to the OS vendor's typical mechanisms. See the SCS Dragon Unix/Linux administrators guide for information on how to perform certain system administration tasks and customize Dragon hosts in situations that deviate from the vendor's provided utilities. The SCS Dragon Unix/Linux quick reference has an overview of some common questions when using SCS Dragon on Unix/Linux hosts.