Slashdot Mirror

← Back to Stories (view on slashdot.org)

Distributing Unix Knowledge Among Admins?

Posted by Cliff on from the ya-gotta-work-together-to-get-ahead dept.

chadworthman asks: "I work in a server support role with 6 other sys admins. We are all responsible for 10 to 25 servers each (various flavours of Unix), mostly grouped by project. The person who is responsible for a server is called prime. We also identify a sys admin as secondary. This system is not working out well. Most sys admins are only familiar with the environments that they are prime for, and when a prime contact is not in the office or leaves the company, the rest of us try to figure out the environment. We are currently trying to figure out the best way to transfer knowledge of environments between sys admins. We have considered a plan that would involve partnering with another co-worker while you trade knowledge, then after a certain number of months, trade with someone else. I was wondering what other techniques for knowledge transfer between sys admins Slashdotters have encountered."

29 of 56 comments (clear)

  1. standardize by tps12 · · Score: 2, Insightful

    You need to try to adapt each environment towards a single standard that everyone then becomes familiar with. Yes, this will sacrifice some features of each platform, but that is the price you pay for greater scalability and flexibility. This is the kind of thing that made different flavors of Windows so popular with sys admins, and it's high time the Unix world followed suit.

    --

    Karma: Good (despite my invention of the Karma: sig)
  2. Documentation by drivers · · Score: 3, Informative

    Documentation. It's what you need. Some standardization would probably help too.

    1. Re:Documentation by TheTomcat · · Score: 3, Informative

      We use a Wiki Wiki Web for all of our internal system (servers, network, telephone, hardware, etc) documentation.

      PHP Wiki

      It's great. Simple to use, easy to update, can read and edit from any web terminal on this side of our firewall. Need to find out hardware info about the Mac in the corner office? Log into the hardware tracker directly FROM said Mac.

      S

  3. Document by photon317 · · Score: 3, Insightful


    Set up a knowledgebase of system information, make it versionable, and perhaps commentable in blogs-style. Make it publish to a departmental web server, and have everyone document the hell out of everything there. Things that go there:

    Invetories of systems and of software
    Licenses and whatnot
    Purchase info
    Common practices docs (disk layout procedures, installation procedures, patching procedures, downtime procedures, etc)...
    etc...etc..

    You get the idea. The company shouldn't be reliant on an employee's brain as part of their business plan - document everythign in such a way that if the whole staff went missing, a new staff of competent unix professionals could take over and do somethign useful based on your web docs.

    --
    11*43+456^2
    1. Re:Document by geirt · · Score: 3, Interesting

      We have just started to use a wiki for this purpose, and it looks good. We use MoinMoin, a wiki written in python which does versioning, and can send email notifications when a page is updated. People are documeting much more than before.

      --

      RFC1925
    2. Re:Document by 4of12 · · Score: 2

      In particular, have your admins write down

      • problem symptom calls they receive
      • what they did to refine the diagnose and isolate the cause
      • exactly what they did to fix it (I can see where SysV and BSD camps each need for the other to be explicit about things they each take for granted.)

      Finally, because a system like this depends on the cooperation of the sysadmins involved to be complete and detailed about this documentation, you need to heap frequent praise and monetary rewards on those that do a good job documenting their work.

      Make sure they understand that if a secondary sysadmin is able to keep their system going while they're on vacation that it is not a sign of job insecurity, but a sign of a first class sysadmin that makes sure his company keeps running even if he's on vacation.

      --
      "Provided by the management for your protection."
  4. Rotate your primes by LordNimon · · Score: 4, Interesting

    Every two months, the primes all rotate. After a year, you will all be experts on all systems.

    --
    And the men who hold high places must be the ones who start
    To mold a new reality... closer to the heart
    1. Re:Rotate your primes by metacosm · · Score: 3, Insightful

      The solution presented in the parent post is the correct one. Documentation is fine and dandy, but it doesn't come close to experience. Great thing about rotating primes is that the "true blue expert" is still around, but he is off learning something new too. Everyone puts their ego on hold and pitches in to help. This will generate well rounded techs that can handle a broader array of issues, as a group and independantly.

  5. Look! by itwerx · · Score: 3, Insightful

    It's a bird!
    It's a plane!
    It's a flock of binders!

    But seriously, documentation is key to anything like this. I know most sysadmins wail and moan and gnash their teeth at the very thought, but good documentation is almost as important as good backups!
    YMMV but it might actually be worth picking somebody as the "doc-meister" to learn ALL of the systems and have the other admins submit config changes etc. to this person on an on-going basis.
    This also helps prevent the common admin trick of just printing out tons of scripts to fill the binder and saying "See, it's all documented, right here" - except it doesn't actually help anybody understand anything!
    This way if the documentation lead can't understand it then you know a replacement admin won't either and changes can be made before it's really needed.

  6. they're a team, right? by medcalf · · Score: 2, Insightful

    So make them act like a team. All admins are responsible for all servers. I am assuming that you the group doesn't have a lot of time to document (most groups don't), but there are still practical ways to make it work, with minimal time taken in advance:

    1. common file system layouts (for example, all users in /home, all apps in /apps, all admin-only stuff in /admin (or whatever standards you want to use)
    2. one person (team lead) owns all of the licenses, and keeps them up to date, as well as scheduling non-reactive work
    3. if you're not responsible for the applications on the system, then everyone should be able to handle any machine, since no specialized knowledge is needed
    4. of course, specialized knowledge is still needed, because some systems have quirks. Document the quirks only (not standard routines for the whole team) both on the machine (in /admin/local/README or whatever) and on your team webserver - if you don't have one, get one
    5. keep a change log for each machine, in /admin/local and on the webserver, that describes any changes that aren't in someone's home directory and which survive a reboot - who did them, when and why
    6. make sure than standing orders (that is to say, procedures to always be followed, like how to notify clients of an outage) are posted on each machine and on the website
    7. use a common root password, known by the team lead and his manager. everyone else uses sudo su - to get to root, or some similar means. give them the root password if they need it (reinstall system, for example), then change it the next day. ideally, set up a system so that each admin saves to a different history file, so that you can tell who did what if you need to (tracking down mysterious file disappearances and such) - this isn't a tool for discipline, it's a tool for troubleshooting

    That should solve most of the problems.

    --
    -- Two men say they're Jesus. One of them must be wrong. - Dire Straits
    1. Re:they're a team, right? by cjpez · · Score: 3
      7. use a common root password
      Um, how about . . . No.

      Having the same password on multiple machines is bad. Very bad. Especially when it's a root password. Someone compromises one box, suddenly they've compromised all of them. Not good.

      --
      Al Qaeda has ninjas!
    2. Re:they're a team, right? by medcalf · · Score: 2

      If you have a different root password on each system, you have to write them down, which is much less secure than having one very difficult-to-crack root password. If these are external systems, I am assuming that the questioner has been smart enough to only allow ssh or similar access anyway, rather than something which passes passwords in the clear.

      --
      -- Two men say they're Jesus. One of them must be wrong. - Dire Straits
    3. Re:they're a team, right? by Meleschi · · Score: 2, Insightful

      Come on now..

      In all honesty, that is a good idea. Common usernames/passwords and root/passwords on an similarly configured machines eases administration, and makes it easier to memorize what the password is.

      I admin over 30 machines. Do you think I'm going to remember 60 different passwords? (one for the user, one for root, because we all know ssh/telnet should beallowed to login directly as root, right?) Hell no. Even if I used my palm, it would still be cumbersome. Instead, each class of server has it's own username/password structure... the linux boxes are of one type, and the "other" boxes are different.. This leaves me with around 10 passwords total to memorize, with one or two of the less used ones in a pgp locked spreadsheet on my laptop.

      Memorizing 60 distinctly different login/passwords is almost impossible.

      Other things other posters have said also have merit. Have the same directory structure on as many servers as possible (not possible when you compoare windows to unix for example). Have the same set of tools available for troubleshooting on the different platforms also.... GNU tools compile on almost any unix flavor. Use that to your advantage! There's no reason to remember the different key sequences to the various unix versions of "df" for example, when you can install the GNU version, and have the same command with the same switches do the same things on all of your unix servers. But please, leave your OS version there, just in case. =)

      In addition, you need someone hell bent on security. Have a couple of people install and setup Nessus and scan your network once a month or so, AND FIX THE HOLES. Every network/system has holes. Different servers will have different holes to patch. Only by actively looking for them will you find them. If a server cannot be patched for whatever reason, isolate it on the network with separate password/logins from the "secure" servers, and ACL/ACI's implemented to prevent that server from being able to access other servers it doesn't absolutely need access to.

      Eternal Vigelence. It is difficult to get to this point in a large network with 20+ specialized servers. But with a team that large, you should be able to do it...

      --
      Meep Meep!
    4. Re:they're a team, right? by cjpez · · Score: 2
      It's not a question of whether or not the passwords are being sent in cleartext. There have been holes found in SSH before, and there probably will be again. Plus, there's an excellent chance that SSH isn't the ONLY thing listening on these boxes. A hole in ANY service running can be enough for someone to get in. And once someone's in, it's much easier to grab root access, because it's easier to keep tabs on what's listening on ports than all the thousands of binaries that aren't. Once you've got root on a box, it's a simple matter of installing some trojaned binaries to grab passwords for you. It doesn't matter if the password's been sent in plaintext or not.

      And things can get very quickly complicated, because again, once a malicious person has gained access to ONE of your systems, suddenly it's completely trivial to get into all the rest. If you enforce different passwords on each box, then you're containing the fire. The blackhat will still have 0wNz0r3d one of your boxes, but it's contained there, and he's got to go through the same amount of work to get into any of the others, which increases the probability of someone noticing illicit behaviour, increases the probability that this person will screw up and make a mistake, and increase the probability that he might not be able to get in at all.

      As to writing passwords down, obviously that's a problem. If people are going to be writing passwords down somewhere, you've got to have a good deal of actual, physical security if you want to be able to feel safe about it. It helps to have passwords related somehow. Pick a paragraph from a book; the first letter of each word in sentence 1 makes up the password for box 1, the second sentence goes for box 2 . . . There's many ways to relate passwords such that it's easier to remember.

      Remember, you're not just defending against a brute-force cracker or someone sniffing plaintext passwords. There's much more to it than that.

      --
      Al Qaeda has ninjas!
    5. Re:they're a team, right? by cjpez · · Score: 2
      Instead, each class of server has it's own username/password structure
      Okay, but that's a bit different from saying "Use the same root password for each machine." Making the password some function of the box name for a farm with 30+ machines would probably be okay if it's done right, but if it's something as simple as "blahblah-machinename," someone who's cracked their way to the root password of one machine might be able to figure it out and get in everywhere . . .

      If you're willing to carry PDAs around with you, it'd be pretty cool to have a program (itself passwd-protected, of course - you'll have to remember that one) that, given the name of the box, would hash the name somehow to come up with a unique password on a per-box basis. Just type in the box name and you've got the password. Obviously if anyone who wasn't supposed to could get into that program, you'd have Issues . . . I think I've seen some things on Sourceforge that do basically that.

      --
      Al Qaeda has ninjas!
    6. Re:they're a team, right? by cjpez · · Score: 2
      Right, it certainly is a problem. As I mentioned in another post in this thread, I think the ideal solution would be to have some way to generate passwords based on the host name (or IP, or whatever) of the boxes you've gotta keep track of, in a non-obvious and somewhat secure way. Like, you'd have an application, password-protected itself, of course, that would have you input the name of the box. It'd then churn through a bunch of algorithms and transforms and eventually come out with a password for the box. The algorithm would obviously have to be tweakable, so you could change passwords in a uniform fashion, and the security on the program itself is paramount (you don't want just anyone getting access to the program you're using, or the algorithms used).

      I found a project called Twonz that does something like that. You input a "base" password, and then the name of the host, or IP, or whatever, and it computes what the actual password would be. It looks a bit incomplete for a scalable solution; as I mentioned, I'd like to have the app itself be password protected, and have the ability to mess around with the generation algorithm, but the basic bit is there . . .

      Just an idea, anyway. :)

      --
      Al Qaeda has ninjas!
    7. Re:they're a team, right? by cjpez · · Score: 2
      I mentioned this elsewhere in the thread. I found a cool little program called Twonz that looks like it could be the start of a good solution for that. You just remember one "password", and then type in the name of the box, or the IP, or something else unique to the one box, and it'll "combine" the two to give you a fresh password. I haven't done more investigation than looking at that homepage, but there's only a few issues with it, as far as I can see:
      • I'd like the app itself to be password-protected, although that's not terribly necessary
      • I'd like to make sure that the transformation to get the final password is, indeed, a one-way transform. That way, given one password and the name of the box, you can't reverse engineer the "master" password.
      • It'd be nice to choose between a list of algorithms used to generate the master password, and to be able to tweak the algorithms for your own personal use.
      Anyway, it seems really good, because even if someone DOES get ahold of the program, they still won't be able to find out passwords to your systems without knowing that "master" password. So you remember that one password, and you can generate passwords for all your machines.
      --
      Al Qaeda has ninjas!
  7. common setup by martin · · Score: 2


    1. Document what you've got. Make the doumentation standard.
    2. Move the 'primes' around every couple of months so you all get exposure.
    3. Common install base. make sure you can automagically install from scratch the O/S's and applications (ge jumpstart on SOlaris, HPUX and AIX have their variants). If at any stage you need to type anything you've failed.
    4. Read, digest and implement "The Practice of System and Network Administration" by Limoncelli and Hogan ISBN: 0201702711. This is a great book for any admin and for me is the K&R of its subject.

  8. Pick one. by cperciva · · Score: 2

    (various flavours of Unix)

    That's where your problem lies. Pick one, and get everyone comfortable with that one.

    --
    Tarsnap: Online backups for the truly paranoid
  9. Has to be said..... by jsimon12 · · Score: 2

    Why not a Vulcan mind meld?

    Should effectively transfer all the needed knowledge, and a little of each persons personality, but that might not be such a bad thing.

  10. Hire admins that already know multiple systems... by oobeleck · · Score: 2
    Like me.
    I know Solaris/HP-UX/Linux/*BSD and Win2K and Some Cisco. AND I happen to want a new job...
    Hire me please........ ;-)

  11. Re:Hire admins that already know multiple systems. by itwerx · · Score: 2

    Not to rain on your job-seeking parade but I know all of the above plus Netware 2.x through 6.x, NT all the way back to 3.50, AT&T Sys-V (not that anybody cares any more) and DG's AOS-VS and it STILL took me a year to find a new job.
    Admittedly I have been pretty picky, I probably could have gotten a job in a month or so if I just took the first thing that came along, but who wants to do tier-one tech support?!? :(

    Thank god I've never been laid off...

    (Well, okay, I'll admit it, I was once - but I was only 12 years old. :)

  12. sameness && docs by josepha48 · · Score: 2
    make the environments the same.

    In the company I work for I ported all the scripts to Linux and Sun from HP. Thus we have 'sameness'. you want to build a database. It does not matter what platform you are on the command is the same. You want to create a new dev env. It does not matter what platform you are on the script is the same on ALL platforms.

    By creating a level of 'sameness' across all your platforms it will not matter weather the server is Sun, HP, Linux, BSD, whatever the scripts will all be the same. Since you are talking about being an admin I'd suggest all scripts in perl or sh. The problem you may run into with perl is that perl rarely gets installed in the same place on all platforms. Thus the start of a script with /usr/bin/perl may not work, where /bin/sh will. Yes and there are coding ways around the perl issue as well.

    Granted you will have different machine that do different jobs, this is where documentation comes in. Make sure that all your stuff is documented. If someone sets up a server they need to be required to describe how this server was set up. Using the principle of sameness this cuts down on the need for lots of docs, and thus anyone can set up the server.

    Shells.. standardize on a shell. Standard login shell. More importantly is the standardization of what shell people use. I go with tcsh, as I like it better than ksh csh and sh, and it is available everywhere (Sun, HP, BSD, Linux, etc). It is also feature rich. You can standardize on any shell, but make sure it is everywhere you need it to be.

    Once you have standardized on a shell, use a standard login env. Thus when you login to your BSD box it feels like your Sun box, which feels like your Linux box, etc.

    If people want to add to this have a process in place to make it happen.

    Except for system tools like Sam on HP, and Redhats sysadmin tools, there is no reason that many other tasks cannot be done in scripts that are standard. You can even standardize on what a database server setup should include, what a web server setup should include, and have standards that are the same or different (I prefer sameness unless performsance is an issue) for each flavor of UNIX.

    --

    Only 'flamers' flame!

  13. Re:Hire admins that already know multiple systems. by oobeleck · · Score: 2
    Don't worry I always carry an umbrella... I was busy getting a business degree while you were doing Netware.
    The job market sucks BIGTIME right now. I am at a dot.com that may soon turn into a dot.bomb.
    Hopefully I will find something before that happens. I have been looking for hard for about 3 months now.
    I could have had 3 or 4 positions for security IF I wanted contract work.
    Any good suggestions where to look? The job boards are pretty much worthless. I appreciate any suggestions.

  14. Just use the machine... by pmz · · Score: 2

    I have found this to be very effective.

    --
    Healthcare article at Kuro5hin
  15. Non-paid support calls by isj · · Score: 2, Funny

    As mentioned by other posters, documentation and job rotation is good.

    To make sure the documentation is up-to-date, accessible etc. you can make the support calls from the secondary admins to the "prime" non-paid. After a few support calls in the night, on your holiday etc. you will make sure that the documentation is up-to-date, accessible, people know where it is, etc.

    Yes, I am evil :-)

  16. Two things by coyote-san · · Score: 5, Interesting

    Your company needs to do two things.

    First, fire the manager who got you into this situation. If you've "been doing it this way for years," fire the manager who left this system in place. (If that manager just left and the new guy realizes there's a problem and that's why you're asking this, then obviously there's no action taken against him.)

    I'm not being bloodthirsty here - anything short of this will leave people doubtful that upper management is serious that this is *the* biggest problem your company faces today, and people will continue to do what they've been doing for anything but the most trivial problems. Senior management needs to send an unambiguous signal that the status quo is unacceptable.

    Second, rotate the primes and secondaries as others have suggested, but with a twist. Rotate the secondaries first, and their sole responsibility is to write a list of questions - a long list of questions - about everything that "surprises" them or that needs to be documented somewhere. (An example of the latter is "what are the partitions, what are their sizes, and how was this size determined?"

    They turn over their questions to the primes who spend a few weeks documenting the answers while the secondaries cover for their old prime, and this documentation is provided to the next set of secondaries rotated in to ask questions. Lather, rinse, repeat.

    By the third time around (maybe 3 months?) you'll have documentation that actually covers almost everything someone will need to get up to speed on the peculiarities of a particular project, and the primaries can start rotating while the secondaries answer any remaining questions.

    Finally, I'm deliberately putting the emphasis on the secondaries here because one of the classic problems with your old setup is that it can cause the secondaries's skills to stagnate if the prime handles all of the "hard" or "interesting" problems. You need to give the secondaries room to grow, even if it increases your turnover rate because they're competent enough to be hired as primes at other companies.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  17. Re:Come on people... by bellings · · Score: 2

    Considering that 1/2 the readers here are probably admins themselves...

    Damn... coffee just sprayed out of my nose, and all over my keyboard. I had no idea the +0 comments were so damned funny.

    --
    Slashdot is jumping the shark. I'm just driving the boat.
  18. Documentation misses a lot by barzok · · Score: 2

    Often, when writing documentation we leave out things because we take them for granted or "well, it's just like that." Other people without that experience don't know that, and the gaps become apparent QUICK.

    Documentation AND experience. One can't take up the slack for the other being weak.