System admin for the BRICCS infrastructure

A list of the servers and systems we have available, and what software they are running.

Hospital systems

On the hospital side, the servers are Virtual Machines created within the UHL data centre facility managed by IM&T. We currently have nine VMs, visible only from within the hospital environment. One of them (uhlbriccsex01) has an external facing address for client access.

In addition we have two laptops with server software - running Ubuntu on VMWare Player to allow for REDCap to be delivered in a stand-alone mode for use initially in the GRAPHIC 2 study. More information is on the study page.

• Standard packages: mailutils build-essential clamav htop fail2ban logwatch nagios3 chkrootkit snort make zip unzip apt-file python-software-properties

• Mail setting 'Internet with smarthost': System needs to be able to manage local and outgoing mail. 'smarthost' used for everything else: smtp.xuhl-tr.nhs.uk - the server IPs then need adding to the UHL smtp whitelist. This is arranged by UHL IM&T (Paul Tracey).

• ClamAV: Put the following in cron.weekly and chmod 755:

#!/bin/bash
clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev / | mail -s "ClamAV Scan Results for `date +%D`" email@email.domain

• All UHL machines need to be able to access the internet for updates, etc. For this they need to be 'allowed by rule' through the BlueCoat firewall. This is arranged by UHL IM&T (Geoff Harrison for VMs in the data centre, Bradley Wright for the laptops / desktop machines).

uhlbriccsapp01

• Hostname : uhlbriccsapp01.xuhl-tr.nhs.uk
• Location : UHL 10.156.254.207
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 9.10 - upgraded to Ubuntu 12.04.1 LTS on 09/11/2012
  • Packages: sun-java6-bin sun-java6-jdk maven2 perl openssl apache2 php webmin.deb php5-mcrypt mcrypt

• Services
  • Onyx and dependencies, including the pmi lookup
  • MRBS for room bookings
  • REDCap for production studies and surveys
  • webmin to port 10000 (HTTPS)
  • byobu for multiple terminals if desired
  • Printing: cups on app01. Configure using web interface, but when in normal mode comment out the Listen 10.156.254.207 line from the /etc/cups/cupsd.conf - currently only user in lpadmin group is nick. Printer configured as 'TMF-HP' for use in Onyx.

briccsdb

• Hostname : briccsdb.xuhl-tr.nhs.uk
• Location : UHL 10.156.254.206
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 9.10 - upgraded to Ubuntu 12.04.1 LTS on 09/11/2012
  • Packages: phpmyadmin mysql perl openssl webmin.deb

• Services
  • MySQL database for Onyx, REDCap and the BRICCS ID label system.
  • phpmyadmin at /phpmyadmin/
  • webmin to port 10000 (HTTPS)
  • byobu for multiple terminals if desired

briccsdev

• Hostname : uhlbriccsdev.xuhl-tr.nhs.uk
• Location : UHL 10.156.254.218
• OLD LOCATION: 10.147.126.57
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 10.04 - upgraded to Ubuntu 12.04.1 LTS on 15/10/2012
  • Packages: phpmyadmin mysql perl openssl webmin.deb php5-mcrypt mcrypt

• Services
  • OnyxTestSystem and dependencies, including the test pmi lookup
  • REDCap for testing

briccsdbdev

• Hostname : uhlbriccsdbdev.xuhl-tr.nhs.uk
• Location : UHL 10.156.254.217
• OLD LOCATION: 10.147.126.56
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 10.04 - upgraded to Ubuntu 12.04.1 LTS on 15/10/2012
  • Packages: phpmyadmin mysql perl openssl webmin.deb

• Services
  • MySQL database for OnyxTestSystem and REDCap test system

uhlbriccsapp02

• Hostname : uhlbriccsapp02.xuhl-tr.nhs.uk
• Location : UHL 10.156.254.252
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 10.04 - upgraded to Ubuntu 12.04.1 LTS on 09/11/2012
  • Packages: phpmyadmin mysql perl openssl webmin.deb

• Services
  • Testing version of i2b2

uhlbriccsapp03

• Hostname : uhlbriccsapp03.xuhl-tr.nhs.uk
• Location : UHL 10.156.254.254
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 10.04 - upgraded to Ubuntu 12.04.1 LTS on 09/11/2012
  • Packages: phpmyadmin mysql perl openssl webmin.deb

• Services
  • Live version of i2b2

uhlbriccsapp04

• Hostname : uhlbriccsapp04.xuhl-tr.nhs.uk
• Location : UHL 10.156.253.176
• Subnet - 255.255.255.128, Gateway - 10.156.253.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 12.04.1 LTS
  • Packages: pwgen php5 php5-mysql php5-ldap php5-sybase php5-gd php5-gmp php-pear php5-dev subversion mysql-client-core-5.5 git

• Services
  • Testing version of CiviCRM

uhlbriccsapp05

• Hostname : uhlbriccsapp05.xuhl-tr.nhs.uk
• Location : UHL 10.156.253.177
• Subnet - 255.255.255.128, Gateway - 10.156.253.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 12.04.1 LTS
  • Packages: pwgen php5 php5-mysql php5-ldap php5-sybase php5-gd php5-gmp php-pear php5-dev subversion mysql-client-core-5.5 git

• Services
  • Live version of CiviCRM

uhlbriccsEXT01

• Hostname : briccsext01.xuhl-tr.nhs.uk
• Location : UHL 10.156.253.175
• Subnet - 255.255.255.128, Gateway - 10.156.254.129
• DNS - 10.147.126.165 10.147.126.166 10.156.249.165 10.156.249.166 10.160.15.165 10.160.15.166
• Hardware : Virtual machine
• Software : Ubuntu 12.04.1 LTS
  • Packages: sun-java6-bin sun-java6-jdk maven2 perl openssl apache2 php webmin.deb

• Services
  • Onyx and dependencies, NOT including the pmi lookup, to service external recruitment. Deployed on tomcat over SSL.

JLMVLX1

• Hostname : JLMVLX1.xuhl-tr.nhs.uk
• Location : UHL 10.161.54.246
• Subnet - 255.255.255.128, Gateway - 10.161.54.129
• DNS - Managed by the host laptop
• Hardware : Laptop running VMWare Player
• OS : Ubuntu 12.04.1 LTS
  • Packages: phpmyadmin mysql perl openssl webmin.deb open-vm-tools open-vm-toolbox

On the Windows host machine, the 'all users' start menu has a shortcut to REDCap, and the 'default applications' item is removed. A batch file 'startup.bat' in the all users' startup applications folder triggers the starting of the VM.

The batch file to close the VM only works for me, not for Sue. Is this a firewall issue? I've set the network (using the Local Security Policy) to be private, and that didn't help. Andy Carruthers suggests setting other users to 'power user' status (or failing that, 'local administrator' status) and seeing if that gives them enough rights to shutdown the VMs. If it does, that is an acceptable solution, given that it's only a couple of users and a couple of laptops. On testing power user is not sufficient, but local admin is. Caroline Hughes is processing applications for local admin status.

• Services
  • REDCap for out of hospital use

4MMVLX1

• Hostname : 4MMVLX1.xuhl-tr.nhs.uk
• Location : UHL 10.161.54.247
• Subnet - 255.255.255.128, Gateway - 10.161.54.129
• DNS - Managed by the host laptop
• Hardware : Laptop running VMWare Player
• OS : Ubuntu 12.04.1 LTS
  • Packages: phpmyadmin mysql perl openssl webmin.deb open-vm-tools open-vm-toolbox

• Services
  • REDCap for out of hospital use

University systems: LAMP Infrastructure

All systems on the University side should eventually run on LAMP insfrastructure. The systems are VM's provided by RCS.

In the case of the three CaTissue VMs, where the 'alias' is accessed over https, it is actually an alias for the LAMP Load Balancer run by RCS. The load balancer passes the requests to apache on the app server on port 80, and apache uses mod_proxy and mod_proxy_http or mod_proxy_ajp to pass the request to JBoss on 8080. JBoss works natively.

CaTissue DEV / LAMP 15

The CaTissue DEV server is a LAMP 2 instance.

• Control interface: 143.210.56.57 login15.lamp.le.ac.uk
• Public interface: 143.210.56.58 www15.lamp.le.ac.uk
• Alias: catissue-dev.lcbru.le.ac.uk

• 2GB RAM
• 8GB in /local
• 5GB in /db

• Integral MySQL server, apache, JBoss, CaTissue and Sampler app

CaTissue LIVE / LAMP 50

The CaTissue LIVE server is a LAMP 2 instance.

• Control interface: 143.210.56.77 login50.lamp.le.ac.uk
• Public interface: 143.210.56.78 www50.lamp.le.ac.uk
• Alias: catissue-live.lcbru.le.ac.uk

• 4GB RAM
• 8GB in /local
• 8GB in /db

• Integral MySQL server, apache, JBoss, CaTissue and Sampler app

CaTissue TRAINING / LAMP 16

The CaTissue TRAINING server is a LAMP 2 instance.

• Control interface: 143.210.56.55 login16.lamp.le.ac.uk
• Public interface: 143.210.56.56 www16.lamp.le.ac.uk
• Alias: catissue-trn.lcbru.le.ac.uk

• 2GB RAM
• 8GB in /local
• 5GB in /db

• Integral MySQL server, apache, JBoss, CaTissue and Sampler app

LCBRU Trac

• Control interface: 143.210.170.85 lamp-api-51.rcs.le.ac.uk
• Public interface: 143.210.170.89 lamp-lbi-51.rcs.le.ac.uk
• Alias: lcbru-trac.rcs.le.ac.uk

• 2GB RAM
• 20GB in /local

• Access to MySQL server at 192.168.16.133

LCBRU maven and data repositories

• Control interface: 143.210.170.86 lamp-api-52.rcs.le.ac.uk
• Public interface: 143.210.170.90 lamp-lbi-52.rcs.le.ac.uk
• Alias: lcbru-maven.rcs.le.ac.uk
• Alias: lcbru-data.rcs.le.ac.uk

• 2GB RAM
• 20GB in /local

• Access to MySQL server at 192.168.16.139

SCAD project web server

• Control interface: 143.210.56.91 login74.lamp.le.ac.uk
• Public interface: 143.210.56.92 ​https://www74.lamp.le.ac.uk
• Alias: scad.lcbru.le.ac.uk

• 512MB RAM
• 8GB in /local
• Local MySQL instance - 1GB in /db

Pre-LAMP University systems : OBSOLETE

The following were systems on the University side which were subsequently moved to the LAMP infrastructure. The systems are provided by RCS.

briccs-1

• Hostname : briccs-1.rcs.le.ac.uk
• Location : RCS
• Hardware : ?
• Software : OpenSuse

• Services
  • Host VirtualBox system for sandbox VMs
  • ex-Live deployment of BriccsLabelsWebapp (not used)
  • ex-Test deployment of CaTissue (not used)

• Accessing the VirtualBox GUI Control Panel:

ssh -X briccs-1.rcs.le.ac.uk
nrh11@briccs-1:~> echo $DISPLAY
localhost:13.1
nrh11@briccs-1:~> sudo su -
nrh11's password:
briccs-1:~ # export DISPLAY=localhost:13.1
briccs-1:~ # xauth merge ~nrh11/.Xauthority
briccs-1:~ # VirtualBox

• VMs provisioned:

briccs-4.rcs.le.ac.uk 02:01:8F:D2:AA:8C 143.210.170.140
briccs-5.rcs.le.ac.uk 02:01:8F:D2:AA:8D 143.210.170.141
briccs-6.rcs.le.ac.uk 02:01:8F:D2:AA:8E 143.210.170.142
briccs-7.rcs.le.ac.uk 02:01:8F:D2:AA:8F 143.210.170.143

Settings

IP mask : 255.255.255.0 Gateway : 143.210.170.1 DNS one : 143.210.12.152 DNS two : 143.210.12.154

VBoxManage man page: ​http://www.virtualbox.org/manual/ch08.html

Note: when rebuilding a VM, the ssh key will change. On local machines use "ssh-keygen -R hostname" and "ssh-keygen -R IP" to remove them and then reconnect.

briccs-2

• Hostname : briccs-2.rcs.le.ac.uk
• Location : RCS
• Hardware : VirtualBox virtual machine
• Software : OpenSuse

• Services
  • NONE
  • Was: Subversion (svn) repository - but this has now been transferred to the University RCS SVN service.

briccs-3

• Hostname : briccs-3.rcs.le.ac.uk
• Location : RCS
• Hardware : VirtualBox virtual machine
• Software : OpenSuse

• Services
  • NONE
  • Was: Deployment of caTissue, label printing webapp, accessed by ​http://services.briccs.org.uk/labels/

VMs on briccs-1

• The VMs on briccs-1 are transitory, however please check with the listed owner before destruction.

briccs-4

• Hostname : briccs-4.rcs.le.ac.uk
• Ownership: DM
• Location : briccs-1
• Hardware : VirtualBox virtual machine
• Software : CentOS 6.2

• Services
  • NONE

briccs-5

• Hostname : briccs-5.rcs.le.ac.uk
• Ownership: JL
• Location : briccs-1
• Hardware : VirtualBox virtual machine
• Software : CentOS

• Services
  • NONE

briccs-6

• Hostname : briccs-6.rcs.le.ac.uk
• Ownership: JL
• Location : briccs-1
• Hardware : VirtualBox virtual machine
• Software : CentOS

• Services
  • NONE

briccs-7

• Hostname : briccs-7.rcs.le.ac.uk
• Ownership:
• Location : briccs-1
• Hardware : VirtualBox virtual machine
• Software : CentOS 5.5 (64bit)

• Services
  • NONE
  • Was
    • Trac system - NOW MIGRATED TO lcbru-trac.rcs.le.ac.uk, see above
    • Maven repository - NOW MIGRATED TO lcbru-maven.rcs.le.ac.uk, see above
    • Data repository - NOW MIGRATED TO lcbru-data.rcs.le.ac.uk, see above

BRICCS Server Security

The following should be considered the standard specification for BRICCS Server Security:

ClamAV: Put the following in cron.weekly and chmod 755:

#!\bin\bash
clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev / | mail -s "ClamAV Scan Results for `date +%D`" email@email.domain

fail2ban

• Note: If installing on a CentOS machine, fail2ban is only available from the EPEL repo: rpm -Uvh ​http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

logwatch

• Note: By default logwatch mails daily reports to root@localhost - this probably isn't what we want. Configure /usr/share/logwatch/default.conf/logwatch.conf and alter the target address to someone who gives a damn.

NagiOS

chkrootkit

Snort

What else?