Differences between revisions 167 and 169 (spanning 2 versions)
Revision 167 as of 2015-05-08 22:11:43
Size: 23354
Editor: porcupine
Comment:
Revision 169 as of 2015-05-08 22:16:04
Size: 23390
Editor: porcupine
Comment:
Deletions are marked like this. Additions are marked like this.
Line 50: Line 50:
Chrome
Firefox
Putty
Kitty
Lyx
LibreOffice
Steam
WinSCP
Inkscape
GIMP
VLC
Adobe Reader
 * Chrome
 * Firefox
 * Putty
 * Kitty
 * Lyx
 * LibreOffice
 * Steam
 * WinSCP
 * Inkscape
 * GIMP
 * VLC
 * Adobe Reader

One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be.

All Machines

  • Gnuplot

Steps marked with <!> require a wheel member, anything else can be done by a winadmin.

Windows Profiles

Please see WindowsProfiles for more information on how these work / how you should manage them.

Windows 7

Steps to do before/during installation

  • Add forward and reverse DNS entries for the machine. <!> Not essential for setup

  • Add the machine to DHCP. <!> Not essential for setup

During/after installation

  • Install Win7 Pro, not the home edition, or you won't be able to add it to the domain
  • Make sure you create at least 3 disk partitions - one for windows, one for games/other, and one or more for linux
  • Enable the Administrator account and set a password, nuke the user you created during install
    • Handy hint: Instead of logging in with LOCALMACHINENAME\Administrator, log in with .\Administrator
  • Install F-Prot antivirus, <!> You will need a wheel member to give you the registration key

  • Install device drivers (graphics and sound most importantly).
  • Run the registry hack from http://wiki.samba.org/index.php/Windows7 - you won't be able to add the machine to the domain without doing this)

  • Configure it to be part of the domain 'UCCDOMAIN'. (Control Panel, System, Advanced System Settings, Computer Name) Ignore the error message

  • Install and configure wpkg. NOTE 2013-08: wpkg is so out of date it isn't really worth it, have a look at what it would install and install new versions of the worthwhile stuff.

    • Both the client installer and the config files will be in //Mylah/wpkg
    • Import settings using the "import settings" button from //Mylah/wpkg/settings.xml
    • Go into service management and change the WPKG Service startup type to Automatic (Delayed Start) This step is essential, wpkg will not work without it

    • Restart the computer
  • Set up printing.
  • Add Winadmins to computer administrators.
  • Add static route for 130.95.13.0/26: at a command prompt type:

route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65

netsh firewall set icmpsetting 8 enable

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for.

  • Chrome
  • Firefox
  • Putty
  • Kitty
  • Lyx
  • LibreOffice

  • Steam
  • WinSCP
  • Inkscape
  • GIMP
  • VLC
  • Adobe Reader

Windows XP

Steps to do before/during installation

  • Add forward and reverse DNS entries for the machine. <!> Not essential for setup

  • Add the machine to DHCP. <!> Not essential for setup

  • Add the machine template to Samba. As root on Mylah, run /home/wheel/bin/ucc-addwinpc computername. <!>

During/after installation

  • Install Windows XP SP3 and configure it to be part of the domain 'UCCDOMAIN'.
  • Install device drivers (graphics and sound most importantly).
  • Set up printing.
  • Add Winadmins to computer administrators.
  • Configure WPKG. Install WPKG Client 1.3.9.msi, and load settings.xml using 'import settings', both in //mylah/wpkg

    • As winxp is no longer the default profile, you will need to edit /wpkg/hosts.xml and make an entry for the machine
  • Turn Windows Updates on to fully-automatic.
  • Add static route for 130.95.13.0/26: at a command prompt, type

route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is easily deployed with WPKG.

What about...

  • ActiveState ActivePython and/or ActivePerl

  • Eclipse? Massive but apparently Java programmers love it
  • NetBeans? Not nearly as massive (but still quite large)

  • Komodo Edit, a rather nice lightweight programmers' editor
  • gVim, the logical alternative to the above
  • TortoiseSVN
  • Cygwin I vote no, it's horrible [DAA]

  • sequoiaview?
  • Hardware design tools like ..
  • SwitcherCADIII (free download with very active support list)
  • Ultium Designer (on at least one machine) or Free (limited) version of Eagle
  • Pushing the UCC CA out over WPKG? http://wpkg.org/SSL_CA_Install

  • Inkscape
  • The GIMP

Linux Servers

  • At installation:
    • Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
    • Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
    • The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
  • Add a root user and nuke the initial unprivileged user:
    • That's as simple as running passwd as a super user, re-logging in as root and running deluser on the original user

  • If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
  • Set up DNS on Mooneye:

    • Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
    • If zonemake has errors, go back and fix them before proceeding!
    • Use rndc reload to get bind to reload the zone files

  • Set up DHCP on Murasoi:

    • Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
    • Restart the DHCP server with service isc-dhcp-server restart

  • Set up NFS:
    • Only do this once you have DNS set up and working properly
    • Add the machine to the /etc/exports files on the appropriate servers (Motsugo for /home, Mylah for /away and nortel+onetel for /services)

    • Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
    • Add the fstab line (copy off Motsugo or something)

    • mount -av and hope

  • Configure the SSH server:
    • Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
    • Ensure the correct banner file is set in /etc/ssh/sshd_config
    • Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
    • Restart the SSH server and confirm all working
  • Add the UCC root SSH keys:
    • Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
    • For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder

    • Start an ssh-agent using eval `ssh-agent` and authenticate your root key using ssh-add ~<username>/.ssh/id_rsa, then run the updated push.sh script

  • Set up LDAP:

    • Install required packages with apt-get install --no-install-recommends libnss-ldapd libpam-ldapd

    • Set server to ldaps://mussel.ucc.gu.uwa.edu.au/ ldaps://motsugo.ucc.gu.uwa.edu.au/ - do not use the ucc.asn.au domain

    • Set search base to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

    • Check server SSL certificate: demand
    • wget -O /etc/ssl/UCC-CA.crt http://ucc.asn.au/UCC-CA.crt to copy the UCC certificate authority

      • If wget fails with a certificate error, delete the zero-sized /etc/ssh/UCC-CA.crt that has been created and add --no-check-certificate before the -O
    • Edit /etc/nslcd.conf and add the line tls_cacertfile /etc/ssl/UCC-CA.crt

    • Restart nslcd: /etc/init.d/nslcd restart

    • nsswitch controls where the operating system looks for password and group information (amongst other things). Ensure the following lines in /etc/nsswitch.conf are set (leaving the other settings at default):
    • passwd:         compat ldap
      group:          compat ldap
      shadow:         compat ldap
      
      services:       db files ldap
    • What the compat ldap bit does is to perform a logical "or" of the local and ldap information sources in order to resolve a user or group. This means that most UCC groups will work without (much) further configuration and you're not mangling the local passwd and group files. The catch? Local information is given preference so you have to go through the /etc/group file and ensure there are no group numbers which conflict with the ldap groups.

      • Explicitly add wheel:x:0: to the top of /etc/group , e.g.
      • # sed -i '1iwheel:x:0:' /etc/group
        # grep :0: /etc/group
        wheel:x:0:
        root:x:0:
      • Look out for local group numbers that conflict with ldap group numbers (21, 101, 666 for example) - we may need to change our ldap group numbers to avoid conflicts. In the past we have just deleted the local group, but you can only do this if the local group doesn't already own files on the machine (or if you're so inclined, you can renumber local groups and files).
    • PAM provides authentication for applications and services - don't skip this step! The modules are configured with the files in /etc/pam.d/ with the most important ones being the common-* files. It's important to note that the rules are checked from top to bottom and order is very important. It's best to just take a look at the config files in Motsugo's /etc/pam.d/ and edit your local files to match because there's a lot of small changes to make. Ensure you remove the minimum_uid=1000 argument out of all the common-* files (just that bit, not the whole line!) because a few UCCans have UIDs below 1000.

    • After you have configured PAM:
      • Test: id accmurph should show uid=666(accmurph) gid=666(winadmin) groups=666(winadmin) - if so, libnss-ldapd is working.

        • The gotcha: it's common practice to set the initial username on most machines to accmurphy. If this user hasn't been deleted properly it will get in the way of your ldap testing (and similarly if you've used your own username)!
        • The other gotcha: yes, you should id accmurph not id accmurphy

      • Test: login and try your username and password - if ok, libpam-ldapd is working.

  • Install dispense: Go to /home/wheel/tpg/gitclones/opendispense2, run make -C src/client clean all and copy dispense to /usr/local/bin on the target server.

  • Install Phonehome:
    • apt-get install python-zsi rsync apt-listchanges

    • On mooneye:
      • Start an ssh-agent using eval `ssh-agent`

      • Authenticate your root key using ssh-add ~<username>/.ssh/id_rsa

      • cd /usr/local/phonehome && ./setup.zsh $HOSTNAME

      • Once finished, kill your ssh-agent using ssh-agent -k

  • Install postfix, set the mail host to mailhost.ucc.gu.uwa.edu.au

  • Packages to install:

  • alpine apache2 biff build-essential ccache cvs distcc finger fish fortune ircii irssi joe ladvd logwatch molly-guard monotone mosh ncurses-term openbsd-inetd ocsinventory-agent rkhunter rssh screen subversion sudo sun-java6-jdk susv3 strace sxid tig tmux vim wireshark zsh 
    • The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
    • For distcc, you will need to copy the config off another server from /etc/default/distcc
  • For file servers, you should also install:
  • acl clamav iotop nfs-common nfs-kernel-server
  • Copy rkhunter.conf, pine.conf, mailname from another server
  • Install the UCC motd system on machines which mount /home:
    • Add the following line to /etc/inetd.conf:
    • motda   stream  tcp     nowait  root    /home/wheel/bin/motd.update.sh motda
    • Also add the following line to /etc/services (keeping things in order!):
    • motda           377/tcp                        # UCC MOTD update
    • Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
  • Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
  • *.* @130.95.13.1

Linux Desktops

Debian or Ubuntu

  • Add a root user and nuke the initial unprivileged user
  • Ensure the package sources are pointing at AARNET's mirror, not UWA's
  • Set up LDAP by following the instructions in the linux servers section of this page

  • Modify /etc/fstab to mount /away

Something like this (differs with distro):

services.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft   0       0
  • Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.
  • Install Phonehome:
    • apt-get install python-zsi rsync apt-listchanges

    • As root on mooneye
      • Add your root key by running:
        • eval `ssh-agent`

        • ssh-add ~<username>/.ssh/id_rsa

      • Then run the following command once you have unlocked your key cd /usr/local/phonehome && ./setup.zsh <hostname>

      • Finally, kill the ssh-agent using ssh-agent -k

Ensure the following packages are installed:

blender build-essential bzflag cvs chromium-browser compizconfig-settings-manager freeglut3-dev geeqie gimp glew-utils gnome-desktop-environment gnucash hugin inkscape jhead joe ladvd libglew-dev libglew1.8 locate mplayer nasm nfs-common nslcd ocsinventory-agent pidgin rssh openjdk-7-jdk openssh-server python remmina subversion thunderbird tig ubuntu-restricted-extras vim-gtk vlc zsh

Ensure the following packages are NOT installed:

ubuntuone-client unity-lens-shopping

then (These ones are non-crucial/take a long time_) apt-get install {lyx}

  • The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
  • Ensure wheel group and sprocket group have sudo permission sudo visudo

%wheel ALL=(ALL:ALL) ALL
%sprocket ALL=(ALL:ALL) ALL

Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there

Graphics Don't Work?

If you get messages like "Hooray! GNOME3 won't work because your graphics hardware does not support it", or glxinfo segfaults, or glxgears does not show anything, then you have entered the wonderful world of troubleshooting graphics drivers!

NVidea should just work. If you have problems, remove the nouveu driver and replace it with the non-free nvidia driver.

If things seem totally fucked, you probably have an AMD graphics card. Eg:

    $ lspci | grep vga
    00:01.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI BeaverCreek [Radeon HD 6550D]    

You have two options; if one doesn't work try the other.

  • Install the debian non-free version of fglrx which may or may not explode

  • Install the official AMD fglrx which will definitely explode but may take longer to do so: http://support.amd.com/en-us/download

If none of this works you are doomed and need to try a different OS. However, debian or ubuntu are usually actually the best for fglrx, so you're probably still doomed.

Networking is Notworking?

Disable IPv6.

OpenSUSE

  • Rule 1: don't go messing with text config files (eg ldap, pam, nsswitch) - OpenSUSE is mostly configured through the GUI, and you'll be frustrated if you try and mix the two.
  • You can put it on ldap within the installer, so you won't need to create an unprivileged account like in Ubuntu
  • Put the machine on LDAP
    • Open YaST, either from the GUI or the command line, and select 'LDAP Client'
      • Set the address of LDAP servers to mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au

      • Click on 'Fetch DN' and the UCC dn should appear
      • 'Use LDAP' should be selected, deselect all other checkboxes
      • Click on advanced configuration
        • Deselect 'Use SSSD'
        • Set the user map to ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
        • Set the password map to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
        • Set the group map to ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
    • Run the following commands from a terminal as root:
      • pam-config -a --ldap

      • pam-config -d --sss

      • Running id accmurph should show uid=666(accmurph) gid=666(winadmin) groups=666(winadmin) if everything is working

  • Mount user home directories
    • Ensure there is a /away export to the machine from mylah
    • Delete or move the old /home directory: rm -rf /home (don't even leave an empty directory in / )

    • Set up automounting of home directories
      • OpenSUSE 11.4:
        • Uncomment the "/net -hosts" line in /etc/auto.master
        • Ensure you can ping mylah
        • Open YaST, go to 'System Services (Runlevel)', and enable the autofs and rpcbind services FROM SIMPLE MODE
        • Create a magic link to the home directories ln -s /net/mylah/space/away/home /home

        • Check this works by going to /home and listing the directory contents
        • If things aren't working the way they should, test mounting /away manually with the mount command after creating the /home directory. Don't forget to unmount /home and delete the empty directory when you're done.

      • OpenSUSE 12.2:
        • autofs is deprecated! Yay! We use systemd now.
        • From YaST, go to 'System Services (Runlevel)', and enable the 'nfs' and 'rpcbind' services.
        • Edit /etc/fstab (even though, strictly speaking, it's deprecated -- gotta love systemd)
        • Add this line:

          services.ucc.gu.uwa.edu.au:/space/away/home     /home   nfs     nfsvers=3,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,nolock,noauto,comment=systemd.automount   0       0 
        • Maybe reboot (it can't hurt, right...)
        • ls /home (or do something in the directory in order to make it mount)
        • Everything should work
      • Check this is still working after a reboot!
  • Run a quick upgrade of all packages using zypper up before going any further.

  • The package management tool in OpenSUSE is zypper. Install the following packages using zypper install from a terminal

blender compiz compiz-plugins-extra compizconfig-settings-manager findutils-locate finger freeglut-devel glew glew-devel gcc geeqie gimp git hugin jhead joe nasm opera pidgin MozillaThunderbird zsh
  • OpenSUSE also supports 'pattern' packages (much like the build-essential package in Debian). Install the following patterns using zypper install -t pattern

devel_C_C++ devel_ide devel_java devel_mono devel_perl devel_python devel_qt4 devel_rpm_build devel_ruby devel_web remote_desktop 
  • OpenSUSE 11.4 only: Compiz on OpenSUSE 11.4 has a problem where compiz-manager doesn't start correctly for users using compiz, so those users have no window borders, this can be solved by creating /etc/xdg/autostart/compiz-manager.desktop and putting the following contents in it:

[Desktop Entry]
Type=Application
Exec=/usr/bin/compiz-manager
Hidden=false
X-GNOME-Autostart-enabled=true
Name[C]=Compiz Manager (fix)
Name=Compiz Manager (fix)
Comment[C]=Fixes the annoying issue
Comment=Fixes the annoying issue
  • Install suitable graphics drivers. For ATI and nVidia chips see: http://en.opensuse.org/SDB:ATI_drivers and http://en.opensuse.org/SDB:NVIDIA_drivers

    • To use nouveau instead of nvidia, remove nvidia-computeG02 nvidia-gfxG02-kmp-desktop x11-video-nvidiaG02 and install Mesa-nouveau3d
    • Check compiz is working after a reboot (wobbly windows!)
  • Install vlc from this site: http://www.videolan.org/vlc/download-suse.html

  • Install google chrome (these instructions assume 64-bit openSUSE)
    • wget https://dl-ssl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm

    • zypper install google-chrome-stable_current_x86_64.rpm

  • Enable ssh and add the root keys:
    • Enable the sshd service through YaST
    • Allow Secure Shell Server through the firewall using YaST
    • Add the hostname to /home/wheel/bin/uccroot/push.sh and run that script
  • Add wheel to sudoers using visudo, and delete the two lines in the file that are mentioned in the comments in the file
  • Install ocs-inventory:
  • Add printers. Phosphorous on mussel is currently best added as a samba printer

Mac Desktops

  • Do a fresh install of the operating system
  • Enable Remote Login http://support.apple.com/kb/PH18726

  • Add the UCC CA
  • Settings > Users and Groups > Join Network Account Server

    • Open Directory Utility
      • Select LDAP then click the pencil icon
      • Add mussel.ucc.gu.uwa.edu.au
      • Enable Encrypt using SSL
    • Set RFC2307 mappings
    • Set search base to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

    • Edit the server settings
      • Disable "Use custom port"
  • Set up home directories
    • Open terminal and sudo to root
    • mv /home /home2 to move the old /home out of the way, probably something still has it open

    • ln -s /net/services.ucc.gu.uwa.edu.au/space/away/home /home to use the automounter for /home, if you don't understand this, ask.

    • ls -l /home should now show ucc, wheel, etc. If not you need to work out why.

  • Reboot and SSH etc. should work.


CategorySystemAdministration