[IDD #BNN-590198]: RE: FW: LDM Unidata

Hi Scott,

re:
> I want to thank you for all the help you have provided thus far.

No worries.

re:
> I now have
> our LDM server setup and I think configured. I have a few questions that I
> hope are OK to ask.
> 
> Information:
> 
> - Virtual computer running Red Hat Enterprise 5.7, 1 GB RAM, 20 GB HDD,
>   IP: 146.6.225.29
> - LDM 6.9.8 has been installed, queue created and the services started
> 
> Here are the questions I have,
> 
> 1. How is security handled to keep unwanted people from access the data or
>    is that an issue?

It is up to the LDM administrator to setup appropriate ALLOW(s) in 
~ldm/etc/ldmd.conf.
An ALLOW specifies which machine(s) are allowed to REQUEST data.  If the IP
address for machine REQUESTing data is not included in an ALLOW, the LDM
will reject the feed request.  Furthermore, one can setup firewall rules
that will reject requests from machines that one deems to be unauthorized.

re:
> 2. Any security issues I need to be aware of to make sure the server is
>    configured as it should be?

The LDM should be built as a user that does _not_ have superuser privilege.
Two programs in the LDM distribution get setuid root permission (ldmd and
hupsyslog), but they run with this permission for very short periods of
time:

hupsyslog - only purpose is to send a HUP signal to syslog daemon
ldmd      - uses root privilege to get port 388.  After getting the
            port, it falls back to running as the LDM user (typically
            'ldm')

re:
> 3. How do I confirm LDM auto starts when the server is rebooted?

You must setup the start of the LDM on boot.  The LDM documentation
presents an example script that does this, but is your job to
modify it ** if needed ** for your installation.  Setting up the
script to be run at boot time must be done as 'root'.

re:
> 4. Do all changes have to be made through the ldm or root user?

Yes.

re:
> 5. I'm getting a message from SELinux that it is in permissive mode and is
>    allowing things that it would not otherwise block. For LDM to function
>    as it should, what mode should the system default enforcing mode be set
>    to or is permissive advisable?

We set SELINUX to disabled here in the UPC.  One can use 'permissive', but all
LDM log messages will be replicated in system log files in this mode.

re:
> 6. Is there anything special I need to know about the queue before I can
>    hand the server off to the research group to start their configuration?

- the LDM queue should NOT be located on an NFS-mounted file system

- the LDM queue should be sized to hold about an hour's worth of data
  especially if the machine will feed one or more downstreams

- at the same time, since the LDM queue is memory mapped, it should be
  created small enough to entirely "fit" into existing memory (RAM, not
  RAM+swap) with enough memory left over for all of the other things
  that the system will do (e.g., run decoders, etc.)

- there are some versions of Linux for which the LDM queue should not
  be located on a RAID.  Current versions of Linux should not have this
  problem, but I felt that I should mention it anyway.

- the LDM queue can be damaged by, for instance, the machine going down
  during a write.  The automatic startup script one implements should,
  therefore, have logic to detect when the queue is damaged and
  delete and remake it if needed.

Cheers,

Tom
--
****************************************************************************
Unidata User Support                                    UCAR Unidata Program
(303) 497-8642                                                 P.O. Box 3000
address@hidden                                   Boulder, CO 80307
----------------------------------------------------------------------------
Unidata HomePage                       http://www.unidata.ucar.edu
****************************************************************************


Ticket Details
===================
Ticket ID: BNN-590198
Department: Support IDD
Priority: Normal
Status: Closed