Differences between revisions 102 and 258 (spanning 156 versions)
Revision 102 as of 2011-10-11 16:03:29
Size: 15593
Editor: BobAdamson
Comment:
Revision 258 as of 2021-08-02 19:13:22
Size: 16368
Editor: JamesArcus
Comment: Remove outdated advice on proprietary AMD drivers
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be. This page is intended as a guide to set up UCC machines in some sort of standard way. Please update this if you find any problems when installing things (especially if using newer versions than described here).
Line 7: Line 7:
= Windows Profiles =

Please see WindowsProfiles for more information on how these work / how you should manage them.

= Windows 7 =

== Steps to do before/during installation ==
 * Add forward and reverse DNS entries for the machine. <!> ''Not essential for setup''
 * Add the machine to DHCP. <!> ''Not essential for setup''

== During/after installation ==
 * Install Win7 Pro, not the home edition, or you won't be able to add it to the domain
 * Make sure you create at least 3 disk partitions - one for windows, one for games/other, and one or more for linux
 * Enable the Administrator account and set a password, nuke the user you created during install
  * Handy hint: Instead of logging in with LOCALMACHINENAME\Administrator, log in with .\Administrator
 * Install F-Prot antivirus, <!> You will need a wheel member to give you the registration key
 * Install device drivers (graphics and sound most importantly).
 * Run the registry hack from [[http://wiki.samba.org/index.php/Windows7]] - you won't be able to add the machine to the domain without doing this)
 * Configure it to be part of the domain 'UCCDOMAIN'. (Control Panel, System, Advanced System Settings, Computer Name) ''Ignore the error message''
 * Install and configure wpkg.
  * Both the client installer and the config files will be in //Mylah/wpkg
  * Import settings using the "import settings" button from //Mylah/wpkg/settings.xml
  * Go into service management and change the WPKG Service startup type to Automatic (Delayed Start) '''This step is essential, wpkg will not work without it'''
  * Restart the computer
 * Set up printing.
 * Add Winadmins to computer administrators.
 * Add static route for 130.95.13.0/26: at a command prompt, type
{{{route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65}}}
 . ''This prevents a VPN connection from trying to steal the default route to users home directories.''

== Software to install ==
Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is [[http://wpkg.org/Category:Silent_Installers|easily deployed with WPKG]].

== Installed automatically via WPKG ==
 * Putty
 * Open``Office
 * Firefox
 * Security policy to hide last logged in user
 * Windows experience index test after initial install
 * Win``SCP
 * OCS Inventory
 * Fox``IT Reader
 * GIMP
 * Ario (MPD client: http://ario-player.sourceforge.net/)
 * Xming
 * Inkscape
 * CD Burning Software: Infra''''''Recorder (isorecorder is no longer needed, as infrarecorder can do images)

== Install by hand ==
 * WolfET
 * Steam
 * Mik``Tex then Lyx (in that order, be sure to enable auto-package downloads in Mik``Tex)
 * Thunderbird
 * VLC
 * Daemon Tools (v3.46 was the last release before it was bundled with spyware, see http://www.daemon-tools.cc/dtcc/download.php?mode=Download&id=70)
 * PrimoPDF (a print to PDF utility)

= Windows XP =

== Steps to do before/during installation ==
 * Add forward and reverse DNS entries for the machine. <!> ''Not essential for setup''
 * Add the machine to DHCP. <!> ''Not essential for setup''
 * Add the machine template to Samba. As root on Mylah, run `/home/wheel/bin/ucc-addwinpc computername`. <!>

== During/after installation ==
 * Install Windows XP SP3 and configure it to be part of the domain 'UCCDOMAIN'.
 * Install device drivers (graphics and sound most importantly).
 * Set up printing.
 * Add Winadmins to computer administrators.
 * Configure WPKG. ''Install WPKG Client 1.3.9.msi, and load settings.xml using 'import settings', both in //mylah/wpkg''
  * As winxp is no longer the default profile, you will need to edit /wpkg/hosts.xml and make an entry for the machine
 * Turn Windows Updates on to fully-automatic.
 * Add static route for 130.95.13.0/26: at a command prompt, type
{{{route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65}}}

== Software to install ==
Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is [[http://wpkg.org/Category:Silent_Installers|easily deployed with WPKG]].

 * Open''''''Office
 * Media Player 11
 * CD Burning Software ''such as? possibilities include http://www.deepburner.com/ and http://infrarecorder.sourceforge.net/''
 * F-Prot Antivirus \\musundo\fprot\ contains installers (use the MSI packages) and license codes in licenses.txt. You will need a handy wheel member to open licences.txt for you.
 * VLC
 * Daemon Tools (v3.46 was the last release before it was bundled with spyware, see http://www.daemon-tools.cc/dtcc/download.php?mode=Download&id=70)
 * Windows Live messenger
 * Steam
 * Audacity
 * Google Talk
 * irfanview (and the plugin that knows about jpeg orientation jfif tags)
 * winscp
 * DirectX 9 runtime
 * Notepad++

=== What about... ===
 * Active''''''State Active''''''Python and/or Active''''''Perl
 * Eclipse? Massive but apparently Java programmers love it
 * Net''''''Beans? Not nearly as massive (but still quite large)
 * Komodo Edit, a rather nice lightweight programmers' editor
 * gVim, the logical alternative to the above
 * TortoiseSVN
 * Cygwin ''I vote no, it's horrible [DAA]''
 * sequoiaview?
 * Hardware design tools like ..
 * SwitcherCADIII (free download with very active support list)
 * Ultium Designer (on at least one machine) or Free (limited) version of Eagle
 * Pushing the UCC CA out over WPKG? http://wpkg.org/SSL_CA_Install
 * Inkscape
 * The GIMP

== Installed automatically via WPKG ==
 * Java Runtime Environment
 * Firefox 3
 * Flash player
 * PuTTY (''also add the binary directory to %PATH% [RVS]'' - not done yet)
 * Xming
 * GTK+ 2.14
 * 7zip
 * FileZilla
 * Thunderbird
 * [[http://isorecorder.alexfeinman.com/isorecorder.htm|ISORecorder]]
 * Ario (MPD client: http://ario-player.sourceforge.net/)
 * BZFlag
 * Adobe Reader 9
 * InfraRecorder
= Before you start =

== Steps to do before installation ==
  * <!> Add forward and reverse DNS entries for the machine.
  * <!> Add the machine to DHCP.
  * <!> Make sure all licenses required are on hand (see `/home/wheel/docs/software-license/` on a user server)

== Steps to do after ==
 * Check everything works as expected
 * Email [email protected] with a summary of what was set up/re-installed

= Dualboot Machines =

'''These instructions relate to Dualbooting Windows 10 and Linux Mint'''. If installing a dualboot machine, always install Windows first where possible.

 1. [[#Windows_10|Install Windows]] following the below. Make note of the following when setting up the disks:
  * Depending on the size of the disk, try to reserve up to 500GB or more for Windows.
  * Linux works fine on anything down to about 100GB but 200GB+ is preferable.
 2. [[#Linux_Desktops|Install Linux]], making sure to use the previously reserved disk space.
  * Use a '''different hostname''' for the Linux installation (eg. `catfish` on Windows, and `catfish-linux` on Linux, or vice-versa)
  * This is necessary so that the machine accounts in AD don't have the same name, otherwise one OS's entry overwrites the other and things get broken.
 3. Set up a scheduled task on Windows to reboot into Linux each day.

= Windows 10 =

All new Windows machines in UCC should be installed with Windows 10 by default. Previous versions are deprecated.

 1. Find a Windows install disk or make a new one. Make sure you select the Professional edition.
  * You can download the latest ISO image [[https://www.microsoft.com/en-au/software-download/windows10ISO|here]] and USB imaging tool [[https://www.microsoft.com/en-us/download/details.aspx?id=56485|here]].
 2. Plug in the install disk and boot from it.
  * Select the US keyboard layout and Australian time/date format.
  * Agree to the license terms etc.
 3. Partition the disks.
  * Delete all existing partitions (if any) on the designated install disk.
  * Select the empty space and click "New" to create a new partition. Enter the desired size or use the whole disk (if not doing dualboot).
 4. Create a dummy user account (call it something like `accmurph`)
 5. Finish the installer. Once it has rebooted into the new Windows system and you have logged in you can continue.
 6. Install software.
  * Software in this list should either be free to download and install, or something that the UCC has a license for.
  * Open '''Powershell''' as Administrator and run the following: {{{
Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

choco install -y 7zip.install adobereader chocolateygui discord firefox flashplayerplugin foxitreader freecad gimp git.install googlechrome hwmonitor inkscape javaruntime keepass.install kicad kitty libreoffice lyx miktex notepadplusplus.install opera paint.net python3 texstudio tor-browser vivaldi vlc vscode windirstat winscp.install
}}}
  * Install '''Steam''' and '''Battle.net''' to the games drive (if any).
  * Install the ocsinventory agent from [[https://www.ocsinventory-ng.org/en/]].
   * This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is https://ocsinventory.ucc.asn.au/ocsinventory and turn off SSL cert verification. No auth is required.
 7. Set the Windows computer name - the installer picks a random one automatically and this is bad.
  * Right click on the Start button, select "System", then click "Rename this PC" and enter the desired name.
 7. Configure the system for the UCC network. (type any `commands` below into the Administrator Powershell window you just opened)
  * Delete the dummy user created during install, enable the local Administrator account and set the password: {{{
net user accmurph /delete
net user Administrator /active:yes
net user Administrator <Clubroom Password>
}}}
  * Join the machine to the domain `UCCDOMAYNE` as described in [[ActiveDirectory#Windows]].
  * '''REBOOT.'''
  * You may need to manually set the time if it is out of sync, run Command Prompt (not powershell!) as administrator and use the command `time HH:MM:SS`
  * Force update group policy on the machine (now in the admin Command Prompt window): {{{
gpupdate /force
}}}
   * Once Group Policy has been successfully applied (or before the machine is joined to the domain at all) you can force an NTP time sync with `w32tm /resync /force`
  * Add static route for 130.95.13.0/26: (''This prevents a VPN connection from trying to steal the default route to users home directories.''){{{
route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65
}}}
  * Enable pings (alternatively, follow [[http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7|this guide]]):
  . {{{
netsh firewall set icmpsetting 8 enable
}}}
 8. Add the UCC printer `blacklight` and set it as the default.

= Linux Desktops =
'''Linux Mint x64 ''Cinnamon'' (not the LMDE / Debian version) is the only Linux installation we support.'''

These instructions have been updated and checked with Linux Mint 19.1 - please update them to be compatible with any newer versions if you choose to install them.

 1. Find or create an install USB.
  * Download the ISO from [[https://www.linuxmint.com/download.php]] onto an existing Linux system. {{{
wget http://mirror.waia.asn.au/pub/linux/linuxmint/linuxmint-isos/linuxmint.com/stable/19.1/linuxmint-19.1-cinnamon-64bit.iso
}}}
  * Plug in the USB and get the device node with `lsblk` (look at the size of each drive)
  * Copy the image to the USB: (this will take a few minutes) {{{
sudo dd if=linuxmint-19.1-cinnamon-64bit.iso of=/dev/<usb identifier> bs=1M; sync;
}}}
 2. Boot from the USB and run the installer.
 3. Partition the disks. Select "something else" rather than the automagic guided options.
  * If you are setting up dualboot, do NOT delete any Windows-related partitions.
  * Create a new partition for the Linux system. No swap partition is required - mint no longer creates a swap partition by default, and can use a swap file in the root partition if swap space is required.
   * Use as ext4 file system and use `/` as the mount point.
  * Configure a dummy user, for example `accmurph`.
  * Use sensible values for the other options.
 4. Boot into the newly installed system and configure it
  * Set up [[ActiveDirectory#Linux|Active Directory]]
  * Ensure wheel group and sprocket group have sudo permission: {{{sudo visudo}}} {{{
%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL
}}}
  * Ensure wheel group and sprocket group have administrative rights in Polkit. Create the file {{{/etc/polkit-1/localauthority.conf.d/90-ucc-desktops.conf}}} with the following contents: {{{
[Configuration]
AdminIdentities=unix-group:wheel;unix-group:sprocket
}}}
  * Modify `/etc/fstab` to mount `/away`. Use something like this (can differ with distro): {{{
away.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,soft,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.requires=network-online.target 0 1
}}}
    * x-systemd.requires=network-online.target is oddly insufficient, but x-systemd.automount is relatively robust, see [[https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/|systemd]] . According to [[https://www.freedesktop.org/software/systemd/man/systemd.mount.html|mount]] , systemd-fstab-generator implicitly defeats retries and continues without "failing" by means of "x-systemd.mount-timeout=infinity,retry=10000,fg,nofail" , so try [[https://www.freedesktop.org/software/systemd/man/systemd.automount.html|automounts]]
  * Network configuration is via DHCP and handled entirely by `NetworkManager`
  * Use a local package repository mirror with `sudo mint-switch-to-local-mirror`
 5. Install software. {{{
sudo add-apt-repository "deb http://dl.google.com/linux/chrome/deb/ stable main"
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
sudo apt update
sudo apt install -y adobe-flashplugin arduino blender build-essential cvs chromium-browser eclipse etckeeper fish freecad freeglut3-dev geeqie gimp glew-utils gnucash google-chrome-stable gtk2-engines-oxygen hugin inkscape jhead keepassxc kicad ladvd libreoffice mlocate mplayer nasm nfs-common ocsinventory-agent openjdk-11-jdk openssh-server parallel pepperflashplugin-nonfree pidgin python remmina remmina-plugin-rdp rdesktop rssh subversion thunderbird tig unattended-upgrades vim-gtk vlc zsh lyx texlive torbrowser-launcher xdotool
}}}
  * The server hostname for OCSInventory is `https://ocsinventory.ucc.asn.au/ocsinventory`
   * Check everything works by running '''ocsinventory-agent''' from the command line and then check https://ocsinventory.ucc.asn.au for an entry
  * <!> Set the root password, then add the UCC root SSH keys: add the hostname to `/home/wheel/bin/uccroot/push.sh`, then run that script.
  * Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there
 6. Set up the UCC printer `blacklight`
  * Open the '''Printers''' settings panel
  * Add printer directly (list its hostname in the insert field)
  * If the definition file cannot be located, download from the manufacturer's website (some googling may be required)
 7. Log in '''as your own user''' (reboot if necessary to do so) and go to login window preferences in the main menu
  * Set theme to elegance
  * Go to options and deselect "automatically select the last logged in user"
  * Also change the default session from "Automatically detected" to "cinnamon"
  * Delete the initial user: {{{ sudo userdel -r accmurph }}} (ignore any errors)
 8. Enable automatic upgrades in the Update Manager (GUI)
  . {{attachment:mintupdates.png|Tick the box "Apply updates automatically" and ignore any warnings about system stability|height=250}}
  . Tick the box "Apply updates automatically" and ignore any warnings about system stability.

=== Proprietary NVidia Drivers ===
NOTE: `nouveau` is preferred if it works, as it integrates with the kernel.

 1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)
  * DON'T DOWNLOAD FROM HERE
  * Remember to select "Linux x64" as the OS
 1. Install the relevant package `sudo apt install nvidia-<VER>`
  * E.g. `nvidia-340` for the GeForce 9600
 1. Reboot
 1. If the graphics don't work (e.g. falls back to software rendering), `sudo apt purge nvidia-<VER>`
Line 133: Line 149:
 * Add a root user and nuke the initial unprivileged user
 * Change sources.list to use UWA's mirror %s/au.archive.ubuntu.com/mirrors.uwa.edu.au\/ubuntu/
  * Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
 * At installation:
  * Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
  * Keep APT sources.list (or software repositories) as minimal as possible, but if you don't:
    * Beware of copying the apt sources.list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
  * The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
 * Add a root user and nuke the initial unprivileged user:
  * That's as simple as running `passwd` as a super user, re-logging in as root and running `deluser` on the original user
 * If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
 * Set up DNS on [[Mooneye]]:
  * Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
  * If zonemake has errors, go back and fix them before proceeding!
  * Use `rndc reload` to get bind to reload the zone files
 * Set up DHCP on [[Murasoi]]:
  * Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
  * Restart the DHCP server with `service isc-dhcp-server restart`
Line 137: Line 165:
  * Add the machine to DNS if it isn't there already
  * Add the ethernet (MAC) address to madako's /etc/dhcp3/dhcpd.conf if it isn't there already
  * Add the machine to the /etc/exports files on the appropriate servers (motsugo for /home, mylah for /away and /services)
  * Add the fstab line (copy off martello or something)
  * mount -a and hope
 * Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, start an ssh-agent and authenticate your root key, then run that script.
  * Copy the ssh banner from another server and modify it to suit
  * Only do this once you have DNS set up and working properlyChangeLog#preview
  * Add the machine to the /etc/exports files on the appropriate servers ([[Motsugo]] for /home, [[Molmol]] (or just host "away") for /away and nortel+onetel for /services). Reload the server config with `exportfs -r` (Linux) or `service mountd reload` (FreeBSD)
  * Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
  * Add the fstab line (copy off [[Motsugo]] or something)
  * `mount -av` and hope
 * Configure the SSH server:
  * Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
  * Ensure the correct banner file is set in /etc/ssh/sshd_config
Line 145: Line 174:
 * Set up [[LDAP]] - you may need to use libnss-ldapd and libpam-ldapd on newer Ubuntu and Debian (as opposed to the old libnss-ldap)
  * Ensure nsswitch.conf uses ldap for groups, passwd, and services - the latter is not done by default on most configurations.
  * You will also need to copy /etc/groups from another server
 * Install dispense: TODO, ask [TPG] how to do it for now.
 * Install Phonehome:
  * `apt-get install python-zsi rsync apt-listchanges`
  * As root on mooneye, start an ssh-agent and authenticate your root key, then `cd /usr/local/phonehome && ./setup.zsh $HOSTNAME`
 * Install postfix, then edit the `root:` line of /etc/aliases to direct mail to the ucc hostmaster address, then run `newaliases`
  * Restart the SSH server and confirm all working
 * Add the UCC root SSH keys:
  * Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
  * For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder
  * Start an ssh-agent using {{{eval `ssh-agent`}}} and authenticate your root key using {{{ssh-add ~<username>/.ssh/id_rsa}}}, then run the updated push.sh script
 * Setup Active Directory. Follow the instructions at [[ActiveDirectory]]
 * Allow wheel members sudo access to the machine by running {{{visudo}}} and adding the following lines:
 . {{{
# Allow wheel members to execute any command
%wheel ALL=(ALL:ALL) ALL
}}}
 * Install dispense: Go to {{{/home/wheel/tpg/gitclones/opendispense2}}}, run {{{make -C src/client clean all}}} and copy {{{dispense}}} to {{{/usr/local/bin}}} on the target server.
   * Add the machine's address as trusted in {{{/etc/opendispense2/dispsrv.conf}}} on `merlo`, and then restart `dispsrv` with {{{systemctl restart dispsrv}}}
   * For users to be able to dispense, you also need to install {{{oidentd}}}
 * Install postfix, set the mail host to {{{mailhost.ucc.gu.uwa.edu.au}}}
   * To have mail delivered locally, see [[http://www.postfix.org/STANDARD_CONFIGURATION_README.html|http://www.postfix.org/STANDARD_CONFIGURATION_README.html]]
Line 154: Line 191:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
{{{
alpine apache2 biff build-essential ccache cvs distcc finger fortune ircii irssi ladvd logwatch molly-guard monotone ncurses-term openbsd-inetd ocsinventory-agent rkhunter rssh screen subversion sudo sun-java6-jdk susv3 strace sxid vim wireshark zsh
}}}
  * If `ladvd` is not availble, choose `lldpd` instead. Edit /etc/init.d/ladvd or /etc/init.d/lldpd and add either -C or -c (respectively) to the daemon args, this will enable cdp and hence compatibility with cisco switches. Make sure you then restart the service.
  * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
  * For distcc, you will need to copy the config off another server from /etc/default/distcc
##these are formatted like this so you can paste them straight into the terminal after "apt install", keep them in alphabetical order please. [BOB]
 . {{{
alpine apache2 biff etckeeper finger fish joe ladvd logwatch mlocate molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd parallel rkhunter rssh screen subversion sudo strace sxid tig tmux tshark uptimed vim zsh
}}}
Line 162: Line 196:
{{{  . {{{
Line 165: Line 199:
  * Copy rkhunter.conf, pine.conf, mailname from another server
 * Install the UCC motd system on machines which mount /home: add the following line to /etc/inetd.conf:
{{{
 * Drop the following file into /etc/sysctl.d/50-local-ucc.conf
 {{{
# [msh] 201910..
kernel.dmesg_restrict=0
# [NTU][BOB][MTL] 2020-04-25
# enable Magic SysRequest key https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
kernel.sysrq=1
}}}
 *
Copy rkhunter.conf, mailname from another server
 * Install the UCC motd system on machines which mount /home:
  * A
dd the following line to /etc/inetd.conf:
  . {{{
Line 170: Line 213:
  . Also add the following line to /etc/services (keeping things in order!):
{{{
  * Also add the following line to /etc/services (keeping things in order!):
  . {{{
Line 174: Line 217:
 * Add the following line to /etc/rsyslog.conf to enable central logging
{{{
*.* @murasoi
}}}

= Linux Desktops =
== Ubuntu ==
== Debian ==
 * Add a root user and nuke the initial unprivileged user
 * Change sources.list to use UWA's mirror %s/au.archive.ubuntu.com/mirrors.uwa.edu.au\/ubuntu/
 * Set up [[LDAP]] - you may need to use libnss-ldapd and libpam-ldapd on newer Ubuntu and Debian (as opposed to the old libnss-ldap)
  * `apt-get install --no-install-recommends libnss-ldapd libpam-ldapd`
  * Set server to `ldaps://mussel.ucc.gu.uwa.edu.au/ ldaps://martello.ucc.gu.uwa.edu.au/` - do not use the ucc.asn.au domain
  * Set search base to `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`
  * Check server SSL certificate: demand
  * `wget -O /etc/ssl/UCC-CA.crt http://ucc.asn.au/UCC-CA.crt` to copy the UCC certificate authority
  * Edit `/etc/nslcd.conf` and add the line `tls_cacertfile /etc/ssl/UCC-CA.crt`
  * Restart nslcd: `/etc/init.d/nslcd restart`
  * Edit `/etc/nsswitch.conf` to include for groups, passwd, and services - the latter is not done by default on most configurations.
  * The following pam instructions are 80% of what's required for lenny, but mostly useless for squeeze. Check out motsugo's pam.d directory for a newer example.
  * Edit `/etc/pam.d/common-auth` (order of unix & LDAP is important, as is `use_first_pass` rather than `try_first_pass`):
{{{
auth sufficient pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
}}}
  * Edit `/etc/pam.d/common-account` (order of unix & LDAP is important):
{{{
account sufficient pam_unix.so
account required pam_ldap.so use_first_pass
}}}
  * Test: `id accmurph` should show `uid=666(accmurph) gid=666(winadmin) groups=666(winadmin)` - if so, libnss-ldapd is working.
  * Test: `login` and try your username and password - if ok, libpam-ldapd is working.
 * Modify /etc/fstab to mount /away
 * Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.
 * Install Phonehome:
  * `apt-get install python-zsi rsync apt-listchanges`
  * As root on mooneye, `cd /usr/local/phonehome && ./setup.zsh $HOSTNAME`

Ensure the following packages are installed:
##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB]
{{{
build-essential bzflag cvs chromium-browser gnome-desktop-environment ladvd nfs-common nslcd ocsinventory-agent rssh openjdk-6-jdk openssh-server subversion thunderbird ubuntu-restricted-extras vim zsh
}}}
  * If `ladvd` is not availble, choose `lldpd` instead
 * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au

== OpenSUSE ==
 * Rule 1: don't go messing with text config files (eg ldap, pam, nsswitch) - OpenSUSE is mostly configured through the GUI, and you'll be frustrated if you try and mix the two.
 * You can put it on ldap within the installer, so you won't need to create an unprivileged account like in Ubuntu
 * Put the machine on LDAP
  * Open YaST, either from the GUI or the command line, and select 'LDAP Client'
   * Set the address of LDAP servers to `mussel.ucc.gu.uwa.edu.au martello.ucc.gu.uwa.edu.au`
   * Click on 'Fetch DN' and the UCC dn should appear
   * 'Use LDAP' should be selected, deselect all other checkboxes
   * Click on advanced configuration
    * Deselect 'Use SSSD'
    * Set the user map to ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    * Set the password map to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    * Set the group map to ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
  * Run the following commands from a terminal as root:
   * `pam-config -a --ldap`
   * `pam-config -d -sss`
   * Running `id accmurph` should show `uid=666(accmurph) gid=666(winadmin) groups=666(winadmin)` if everything is working
 * Mount user home directories
  * Ensure there is a /away export to the machine from mylah
  * Delete or move the old /home directory: `rm -rf /home`
  * Set up automounting of home directories
   * Uncomment the "/net -hosts" line in /etc/auto.master
   * Create a magic link to the home directories `ln -s /net/mylah/space/away/home /home`
   * Open YaST, go to 'System Services (Runlevel)', and enable the autofs service FROM SIMPLE MODE
   * Check this works by going to /home and listing the directory contents
   * Check this is still working after a reboot!
 * The package management tool in OpenSUSE is zypper. Install the following packages using `zypper install` from a terminal
{{{
compiz gcc git locate opera
}}}
 * OpenSUSE also supports 'pattern' packages (much like the build-essential package in Debian). Install the following patterns using `zypper install -t pattern`
{{{
devel_C_C++
}}}
 * Compiz on OpenSUSE has a problem where compiz-manager doesn't start correctly for users using compiz, so those users have no window borders, this can be solved by creating /etc/xdg/autostart/compiz-manager.desktop and putting the following contents in it:
{{{
[Desktop Entry]
Type=Application
Exec=/usr/bin/compiz-manager
Hidden=false
X-GNOME-Autostart-enabled=true
Name[C]=Compiz Manager (fix)
Name=Compiz Manager (fix)
Comment[C]=Fixes the annoying issue
Comment=Fixes the annoying issue
}}}
 * Enable ssh and add the root keys:
  * Enable the sshd service through YaST
  * Allow Secure Shell Server through the firewall using YaST
  * Add the hostname to /home/wheel/bin/uccroot/push.sh and run that script
 * Add wheel to sudoers using visudo, and delete the two lines in the file that are mentioned in the comments in the file
 * Install ocs-inventory:
  * Download the source tarball from http://www.ocsinventory-ng.org/en/download/download-agent.html
  * Follow the instructions in the README to build and install it
  * The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
  * Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
 * Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
 . {{{
*.* @130.95.13.1
}}}
 * TODO: cron'ed weekly fstrim(8)

This page is intended as a guide to set up UCC machines in some sort of standard way. Please update this if you find any problems when installing things (especially if using newer versions than described here).

Steps marked with <!> require a wheel member, anything else can be done by a winadmin.

Before you start

Steps to do before installation

  • <!> Add forward and reverse DNS entries for the machine.

  • <!> Add the machine to DHCP.

  • <!> Make sure all licenses required are on hand (see /home/wheel/docs/software-license/ on a user server)

Steps to do after

  • Check everything works as expected
  • Email [email protected] with a summary of what was set up/re-installed

Dualboot Machines

These instructions relate to Dualbooting Windows 10 and Linux Mint. If installing a dualboot machine, always install Windows first where possible.

  1. Install Windows following the below. Make note of the following when setting up the disks:

    • Depending on the size of the disk, try to reserve up to 500GB or more for Windows.
    • Linux works fine on anything down to about 100GB but 200GB+ is preferable.
  2. Install Linux, making sure to use the previously reserved disk space.

    • Use a different hostname for the Linux installation (eg. catfish on Windows, and catfish-linux on Linux, or vice-versa)

    • This is necessary so that the machine accounts in AD don't have the same name, otherwise one OS's entry overwrites the other and things get broken.
  3. Set up a scheduled task on Windows to reboot into Linux each day.

Windows 10

All new Windows machines in UCC should be installed with Windows 10 by default. Previous versions are deprecated.

  1. Find a Windows install disk or make a new one. Make sure you select the Professional edition.
    • You can download the latest ISO image here and USB imaging tool here.

  2. Plug in the install disk and boot from it.
    • Select the US keyboard layout and Australian time/date format.
    • Agree to the license terms etc.
  3. Partition the disks.
    • Delete all existing partitions (if any) on the designated install disk.
    • Select the empty space and click "New" to create a new partition. Enter the desired size or use the whole disk (if not doing dualboot).
  4. Create a dummy user account (call it something like accmurph)

  5. Finish the installer. Once it has rebooted into the new Windows system and you have logged in you can continue.
  6. Install software.
    • Software in this list should either be free to download and install, or something that the UCC has a license for.
    • Open Powershell as Administrator and run the following:

      Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
      
      choco install -y 7zip.install adobereader chocolateygui discord firefox flashplayerplugin foxitreader freecad gimp git.install googlechrome hwmonitor inkscape javaruntime keepass.install kicad kitty libreoffice lyx miktex notepadplusplus.install opera paint.net python3 texstudio tor-browser vivaldi vlc vscode windirstat winscp.install 
    • Install Steam and Battle.net to the games drive (if any).

    • Install the ocsinventory agent from https://www.ocsinventory-ng.org/en/.

      • This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is https://ocsinventory.ucc.asn.au/ocsinventory and turn off SSL cert verification. No auth is required.

  7. Set the Windows computer name - the installer picks a random one automatically and this is bad.
    • Right click on the Start button, select "System", then click "Rename this PC" and enter the desired name.
  8. Configure the system for the UCC network. (type any commands below into the Administrator Powershell window you just opened)

    • Delete the dummy user created during install, enable the local Administrator account and set the password:

      net user accmurph /delete
      net user Administrator /active:yes
      net user Administrator <Clubroom Password>
    • Join the machine to the domain UCCDOMAYNE as described in ActiveDirectory#Windows.

    • REBOOT.

    • You may need to manually set the time if it is out of sync, run Command Prompt (not powershell!) as administrator and use the command time HH:MM:SS

    • Force update group policy on the machine (now in the admin Command Prompt window):

      gpupdate /force
      • Once Group Policy has been successfully applied (or before the machine is joined to the domain at all) you can force an NTP time sync with w32tm /resync /force

    • Add static route for 130.95.13.0/26: (This prevents a VPN connection from trying to steal the default route to users home directories.)

      route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65
    • Enable pings (alternatively, follow this guide):

    • netsh firewall set icmpsetting 8 enable
  9. Add the UCC printer blacklight and set it as the default.

Linux Desktops

Linux Mint x64 Cinnamon (not the LMDE / Debian version) is the only Linux installation we support.

These instructions have been updated and checked with Linux Mint 19.1 - please update them to be compatible with any newer versions if you choose to install them.

  1. Find or create an install USB.
    • Download the ISO from https://www.linuxmint.com/download.php onto an existing Linux system.

      wget http://mirror.waia.asn.au/pub/linux/linuxmint/linuxmint-isos/linuxmint.com/stable/19.1/linuxmint-19.1-cinnamon-64bit.iso
    • Plug in the USB and get the device node with lsblk (look at the size of each drive)

    • Copy the image to the USB: (this will take a few minutes)

      sudo dd if=linuxmint-19.1-cinnamon-64bit.iso of=/dev/<usb identifier> bs=1M; sync;
  2. Boot from the USB and run the installer.
  3. Partition the disks. Select "something else" rather than the automagic guided options.
    • If you are setting up dualboot, do NOT delete any Windows-related partitions.
    • Create a new partition for the Linux system. No swap partition is required - mint no longer creates a swap partition by default, and can use a swap file in the root partition if swap space is required.
      • Use as ext4 file system and use / as the mount point.

    • Configure a dummy user, for example accmurph.

    • Use sensible values for the other options.
  4. Boot into the newly installed system and configure it
    • Set up Active Directory

    • Ensure wheel group and sprocket group have sudo permission: sudo visudo

      %wheel ALL=(ALL:ALL) ALL
      %sprocket ALL=(ALL:ALL) ALL
    • Ensure wheel group and sprocket group have administrative rights in Polkit. Create the file /etc/polkit-1/localauthority.conf.d/90-ucc-desktops.conf with the following contents:

      [Configuration]
      AdminIdentities=unix-group:wheel;unix-group:sprocket
    • Modify /etc/fstab to mount /away. Use something like this (can differ with distro):

      away.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,auto,rw,tcp,nosuid,nodev,soft,x-systemd.automount,x-systemd.device-timeout=10,x-systemd.requires=network-online.target      0       1
      • x-systemd.requires=network-online.target is oddly insufficient, but x-systemd.automount is relatively robust, see systemd . According to mount , systemd-fstab-generator implicitly defeats retries and continues without "failing" by means of "x-systemd.mount-timeout=infinity,retry=10000,fg,nofail" , so try automounts

    • Network configuration is via DHCP and handled entirely by NetworkManager

    • Use a local package repository mirror with sudo mint-switch-to-local-mirror

  5. Install software.

    sudo add-apt-repository "deb http://dl.google.com/linux/chrome/deb/ stable main"
    wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
    sudo apt update
    sudo apt install -y adobe-flashplugin arduino blender build-essential cvs chromium-browser eclipse etckeeper fish freecad freeglut3-dev geeqie gimp glew-utils gnucash google-chrome-stable gtk2-engines-oxygen hugin inkscape jhead keepassxc kicad ladvd libreoffice mlocate mplayer nasm nfs-common ocsinventory-agent openjdk-11-jdk openssh-server parallel pepperflashplugin-nonfree pidgin python remmina remmina-plugin-rdp rdesktop rssh subversion thunderbird tig unattended-upgrades vim-gtk vlc zsh lyx texlive torbrowser-launcher xdotool
    • The server hostname for OCSInventory is https://ocsinventory.ucc.asn.au/ocsinventory

    • <!> Set the root password, then add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.

    • Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

  6. Set up the UCC printer blacklight

    • Open the Printers settings panel

    • Add printer directly (list its hostname in the insert field)
    • If the definition file cannot be located, download from the manufacturer's website (some googling may be required)
  7. Log in as your own user (reboot if necessary to do so) and go to login window preferences in the main menu

    • Set theme to elegance
    • Go to options and deselect "automatically select the last logged in user"
    • Also change the default session from "Automatically detected" to "cinnamon"
    • Delete the initial user:  sudo userdel -r accmurph  (ignore any errors)

  8. Enable automatic upgrades in the Update Manager (GUI)
    • Tick the box "Apply updates automatically" and ignore any warnings about system stability

    • Tick the box "Apply updates automatically" and ignore any warnings about system stability.

Proprietary NVidia Drivers

NOTE: nouveau is preferred if it works, as it integrates with the kernel.

  1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)

    • DON'T DOWNLOAD FROM HERE
    • Remember to select "Linux x64" as the OS
  2. Install the relevant package sudo apt install nvidia-<VER>

    • E.g. nvidia-340 for the GeForce 9600

  3. Reboot
  4. If the graphics don't work (e.g. falls back to software rendering), sudo apt purge nvidia-<VER>

Linux Servers

  • At installation:
    • Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
    • Keep APT sources.list (or software repositories) as minimal as possible, but if you don't:
      • Beware of copying the apt sources.list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
    • The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
  • Add a root user and nuke the initial unprivileged user:
    • That's as simple as running passwd as a super user, re-logging in as root and running deluser on the original user

  • If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
  • Set up DNS on Mooneye:

    • Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
    • If zonemake has errors, go back and fix them before proceeding!
    • Use rndc reload to get bind to reload the zone files

  • Set up DHCP on Murasoi:

    • Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
    • Restart the DHCP server with service isc-dhcp-server restart

  • Set up NFS:
    • Only do this once you have DNS set up and working properlyChangeLog#preview
    • Add the machine to the /etc/exports files on the appropriate servers (Motsugo for /home, Molmol (or just host "away") for /away and nortel+onetel for /services). Reload the server config with exportfs -r (Linux) or service mountd reload (FreeBSD)

    • Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
    • Add the fstab line (copy off Motsugo or something)

    • mount -av and hope

  • Configure the SSH server:
    • Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
    • Ensure the correct banner file is set in /etc/ssh/sshd_config
    • Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
    • Restart the SSH server and confirm all working
  • Add the UCC root SSH keys:
    • Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
    • For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder

    • Start an ssh-agent using eval `ssh-agent` and authenticate your root key using ssh-add ~<username>/.ssh/id_rsa, then run the updated push.sh script

  • Setup Active Directory. Follow the instructions at ActiveDirectory

  • Allow wheel members sudo access to the machine by running visudo and adding the following lines:

  • # Allow wheel members to execute any command
    %wheel  ALL=(ALL:ALL) ALL
  • Install dispense: Go to /home/wheel/tpg/gitclones/opendispense2, run make -C src/client clean all and copy dispense to /usr/local/bin on the target server.

    • Add the machine's address as trusted in /etc/opendispense2/dispsrv.conf on merlo, and then restart dispsrv with systemctl restart dispsrv

    • For users to be able to dispense, you also need to install oidentd

  • Install postfix, set the mail host to mailhost.ucc.gu.uwa.edu.au

  • Packages to install:

  • alpine apache2 biff etckeeper finger fish joe ladvd logwatch mlocate molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd parallel rkhunter rssh screen subversion sudo strace sxid tig tmux tshark uptimed vim zsh
  • For file servers, you should also install:
  • acl clamav iotop nfs-common nfs-kernel-server
  • Drop the following file into /etc/sysctl.d/50-local-ucc.conf
    # [msh] 201910..
    kernel.dmesg_restrict=0
    # [NTU][BOB][MTL] 2020-04-25
    # enable Magic SysRequest key https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
    kernel.sysrq=1
  • Copy rkhunter.conf, mailname from another server
  • Install the UCC motd system on machines which mount /home:
    • Add the following line to /etc/inetd.conf:
    • motda   stream  tcp     nowait  root    /home/wheel/bin/motd.update.sh motda
    • Also add the following line to /etc/services (keeping things in order!):
    • motda           377/tcp                        # UCC MOTD update
    • Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
  • Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
  • *.* @130.95.13.1
  • TODO: cron'ed weekly fstrim(8)


CategorySystemAdministration