[NTLUG:Discuss] Rack mount server access

Wed Jan 30 17:09:48 CST 2008

Greg Edwards wrote:
>> From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On
>> Behalf Of Chris Cox
> 
>> Physical console is the "right" way for normal admin work (just
>> fyi).  Ideally the most secure (provided there's adequate
>> physical security).
>>
> 
> Agreed, but when the system is in the data center it creates an issue,
> well more of a PIA.  This is an MS shop so I'll need to admin the system
> and I'm not located in the data center.  My initial plan was to not have
> X running on the server, but in the future I'll need to train MS sys
> admins who are use to point-and-click.

There's a lot of solutions out there... for Linux/Unix boxes we
use serial consoles for out of band management (yes, we can get
to boxes if wanted to without the network even remotely).

On the Windows side (and Linux or whatever too), major vendors like
Dell and HP have remote access through their "lights out" products.
It acts like a remote KVM.

And of course, there are KVM over ip (and other) solutions as
well.

My point about "console" is that X in most cases is NOT the
console itself.... didn't mean to suggest the console had
to be something that was not accessible from a remote
location.  We don't like devices where remote consoling is
impossible.... in general, there aren't too many pieces of
hardware that fall into that category anymore.  The physical
access comment was too slanted on my part... I shouldn't
have said that one.

So:

Unix/Linux (preference) - Serial Console access over IP or
modem via Avocent (Cyclades) units (there are other vendors, and
other vendors may be considerably better... we started with
Cyclades though).  This works great 90% of the time.  There
are OS's making this more difficult.  IBM's AIX platforms
now want a proprietary remote console and using serial
for console login is difficult.  Red Hat's administration
tools are all graphical... requiring an X server somewhere
defeating what you used to be able to do without X Windows.
Solaris (via serial ILO), HPUX and SUSE Linux love this style
config.... very lightweight.  Allows you to create very
minimal installs and still have remote console (no X
install needed or heavy X clients).  Added bonus, on
Solaris and HPUX boxes, no graphics card needs to be
purchased at all.... not so on x86 Linux, though most servers
can be configured for serial console, but you have to do that
initial BIOS config somehow.

Windows (preference) - ILO2 from HP.  We are an HP shop.  HP's
ILO2 works with standard machines as well as their blade
systems and gives you a remote KVM.  And yes, it even works
with Linux hosts.  ILO2 Java client works with Linux.  This
helps solve the Red Hat stupidity (KISS and Red Hat seems
to be like oil and water lately... if there's a complicated
way to do things... Red Hat will make it mandatory).

KVM over IP (or direct) - KVM over IP allows administrators
a limited number of connections to the consoles of hosts.  Tends
to be a bit expensive, but it's a general purpose solution.  Remote
clients usually have to be Windows, but some speak generic rdp
or even vnc.  Check into the latter if you want to use
this across your Windows and Linux hosts.

AIX... well... right now, we've been forced to setup their
stupid console thing... which oddly enough uses Linux (but
locked down so you can't do anything interesting with it).
Older AIX boxes still route their consoles out the serial
port (as God intended)... so no problem with those... just
the new boxes are a headache.

Of course, as you mentioned, a significant portion of admin
work doesn't directly involve the console, so other options
can be used.. just have to look at the potential security
holes that might create and address those for your
environment (e.g. some might force sudo or some other kind
of policy/role setup).