2065
Comment: updates to all sections with love from David
|
14672
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be. | This page is intended as a guide to set up UCC machines in some sort of standard way. Please update this if you find any problems when installing things (especially if using newer versions than described here). <<TableOfContents(2)>> |
Line 5: | Line 7: |
== Steps to do before/during installation == * Add forward and reverse DNS entries for the machine. <!> ''Not essential for setup'' * Add the machine to DHCP. <!> ''Not essential for setup'' * Add the machine to Samba (create a local account for it on musundo). <!> ''Probably only needs to be added in LDAP, and thus could be made available to winadmins via ACLs'' == During/after installation == * Install Windows XP SP2 and configure it to be part of the domain 'UCCDOMAIN'. <!> ''why does this require wheel rights?'' * Install device drivers (graphics and sound most importantly). * Set up printing. * Add Winadmins to computer administrators. * Configure WPKG. * Turn Windows Updates on to fully-automatic. == Software to install == Software in this list should either be free to download and install, or something that the UCC has a license for. * 7zip * OpenOffice * Media Player 11 * Adobe Reader * Firefox * PuTTY * CD Burning Software ''such as? possibilities include http://www.deepburner.com/'' * F-Prot Antivirus ''more details coming once [DAA] fixes the ACLs'' * VLC * Flash player * Daemon Tools * Windows Live messenger * Steam * Java Runtime Environment * Audacity * Google Talk === What about... === * ActiveState ActivePython and/or ActivePerl * Eclipse? Massive but apparently Java programmers love it * Komodo Edit, a rather nice lightweight programmers' editor * gVim, the logical alternative to the above * TortoiseSVN * Cygwin ''I vote no, it's horrible [DAA]'' * Thunderbird or another mail client * an MPC client (http://sccs.swarthmore.edu/~cbr/PlayGUI/) |
= Before you start = == Steps to do before installation == * <!> Add forward and reverse DNS entries for the machine. * <!> Add the machine to DHCP. * <!> Make sure all licenses required are on hand (see `/home/wheel/docs/software-license/` on a user server) == Steps to do after == * Check everything works as expected * Email [email protected] with a summary of what was set up/re-installed = Dualboot Machines = '''These instructions relate to Dualbooting Windows 10 and Linux Mint'''. If installing a dualboot machine, always install Windows first where possible. 1. Install Windows following the steps below. Make note of the following: * Depending on the size of the disk, try to reserve up to 500GB or more for Windows. * Linux works fine on anything down to about 100GB but 200GB+ is preferable. 2. to be completed... = Windows 10 = All new Windows machines in UCC should be installed with Windows 10 by default. Previous versions are deprecated. 1. Find a Windows install disk or make a new one. Make sure you select the Professional edition. * You can download the latest ISO image [[https://www.microsoft.com/en-au/software-download/windows10ISO|here]] and USB imaging tool [[https://www.microsoft.com/en-us/download/details.aspx?id=56485|here]]. 2. Plug in the install disk and boot from it. * Select the US keyboard layout and Australian time/date format. * Agree to the license terms etc. 3. Partition the disks. * Delete all existing partitions (if any) on the designated install disk. * Select the empty space and click "New" to create a new partition. Enter the desired size or use the whole disk (if not doing dualboot). 4. Create a dummy user account (call it something like `accmurph`) 5. Finish the installer. Once it has rebooted into the new Windows system and you have logged in you can continue. 6. Install software. * Software in this list should either be free to download and install, or something that the UCC has a license for. * Open '''Powershell''' as Administrator and run the following: {{{ Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) choco install -y googlechrome firefox flashplayerplugin microsoftsecurityessentials keepass.install notepadplusplus.install 7zip.install discord javaruntime vlc chocolateygui opera foxitreader hwmonitor paint.net gimp inkscape adobereader libreoffice winscp.install putty miktex texstudio windirstat lyx }}} * Install '''Steam''' and '''Battle.net''' to the games drive (if any). * Install the ocsinventory agent from [[https://www.ocsinventory-ng.org/en/]]. * This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is https://ocsinventory.ucc.asn.au/ocsinventory and turn off SSL cert verification. No auth is required. 7. Configure the system for the UCC network. (type any `commands` below into the Administrator Powershell window you just opened) * Delete the dummy user created during install, enable the local Administrator account and set the password: {{{ net user accmurph /delete net user Administrator /active:yes net user Administrator <Clubroom Password> }}} * Join the machine to the domain `UCCDOMAYNE` as described in [[ActiveDirectory#Windows]]. * '''REBOOT.''' * You may need to manually set the time if it is out of sync, run Command Prompt (not powershell!) as administrator and use the command `time HH:MM:SS` * Force update group policy on the machine (now in the admin Command Prompt window): {{{ gpupdate /force }}} * Once Group Policy has been successfully applied (or before the machine is joined to the domain at all) you can force an NTP time sync with `w32tm /resync /force` * Add static route for 130.95.13.0/26: (''This prevents a VPN connection from trying to steal the default route to users home directories.''){{{ route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65 }}} * Enable pings (alternatively, follow [[http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7|this guide]]): . {{{ netsh firewall set icmpsetting 8 enable }}} 8. Add the UCC printer `blacklight` and set it as the default. = Linux Desktops = '''Linux Mint x64 ''Cinnamon'' (not the LMDE / Debian version) is the only Linux installation we support.''' These instructions have been updated and checked with Linux Mint 19.1 - please update them to be compatible with any newer versions if you choose to install them. 1. Find or create an install USB. * Download the ISO from [[https://www.linuxmint.com/download.php]] onto an existing Linux system. {{{ wget http://mirror.waia.asn.au/pub/linux/linuxmint/linuxmint-isos/linuxmint.com/stable/19.1/linuxmint-19.1-cinnamon-64bit.iso }}} * Plug in the USB and get the device node with `lsblk` (look at the size of each drive) * Copy the image to the USB: (this will take a few minutes) {{{ sudo dd if=linuxmint-19.1-cinnamon-64bit.iso of=/dev/sde bs=1M; sync; }}} 2. Boot from the USB and run the installer. 3. Partition the disks. Select "something else" rather than the automagic guided options. * If you are setting up dualboot, do NOT delete any Windows-related partitions. * Create a new partition for the Linux system, leaving 8-16GB unused (for the swap, this should be the same as the size of memory in the system). * Use as ext4 file system and use `/` as the mount point. * Create a swap partition, format swap and use as swap, using the remaining space. * Configure a dummy user, for example `accmurph`. * Use sensible values for the other options. 4. Boot into the newly installed system and configure it. * Set up [[ActiveDirectory#Linux|Active Directory]] * Ensure wheel group and sprocket group have sudo permission: {{{sudo visudo}}} {{{ %wheel ALL=(ALL:ALL) ALL %sprocket ALL=(ALL:ALL) ALL }}} * Modify `/etc/fstab` to mount `/away`. Use something like this (can differ with distro): {{{ # This line needs to be ABOVE the line that mounts swap, otherwise nfs fails to automount away.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,x-systemd.device-timeout=10,x-systemd-requires=network.target 0 1 }}} * Network configuration is via DHCP and handled entirely by `NetworkManager`. * Use a local package repository mirror with `sudo mint-switch-to-local-mirror` 5. Install software. {{{ sudo add-apt-repository "deb http://dl.google.com/linux/chrome/deb/ stable main" wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - sudo apt-get update sudo apt-get -y install adobe-flashplugin arduino blender build-essential cvs chromium-browser eclipse fish freeglut3-dev geeqie gimp glew-utils gnucash google-chrome-stable gtk2-engines-oxygen hugin inkscape jhead keepassxc ladvd libreoffice locate mplayer nasm nfs-common ocsinventory-agent openjdk-11-jdk openssh-server pepperflashplugin-nonfree pidgin python remmina remmina-plugin-rdp rdesktop rssh subversion thunderbird tig unattended-upgrades vim-gtk vlc zsh lyx texlive }}} * The server URL for OCSInventory is `ocsinventory.ucc.gu.uwa.edu.au` * <!> Add the UCC root SSH keys: add the hostname to `/home/wheel/bin/uccroot/push.sh`, then run that script * Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there 6. Set up the UCC printer `blacklight` * Open the '''Printers''' settings panel * Add printer directly (list its hostname in the insert field) * If the definition file cannot be located, download from the manufacturer's website (some googling may be required) 7. Log in '''as your own user''' (reboot if necessary to do so) and go to login window preferences in the main menu * Set theme to elegance * Go to options and deselect "automatically select the last logged in user" * Also change the default session from "Automatically detected" to "cinnamon" * Delete the initial user: {{{ sudo userdel -r accmurph }}} (ignore any errors) === Proprietary NVidia Drivers === NOTE: `nouveau` is preferred if it works, as it integrates with the kernel. 1. Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us) * DON'T DOWNLOAD FROM HERE * Remember to select "Linux x64" as the OS 1. Install the relevant package `sudo apt-get install nvidia-<VER>` * E.g. `nvidia-340` for the GeForce 9600 1. Reboot 1. If the graphics don't work (e.g. falls back to software rendering), `sudo apt-get purge nvidia-<VER>` === Graphics Don't Work? === If you get messages like "Hooray! GNOME3 won't work because your graphics hardware does not support it", or {{{glxinfo}}} segfaults, or {{{glxgears}}} does not show anything, then you have entered the wonderful world of troubleshooting graphics drivers! NVidia should just work. If you have problems, remove the {{{nouveau}}} driver and replace it with the non-free {{{nvidia}}} driver. If things seem totally fucked, you probably have an AMD graphics card. Eg: . {{{ $ lspci | grep vga 00:01.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI BeaverCreek [Radeon HD 6550D] }}} You have two options; if one doesn't work try the other. * Install the debian {{{non-free}}} version of {{{fglrx}}} which may or may not explode * Install the official AMD {{{fglrx}}} which will definitely explode but may take longer to do so: [[http://support.amd.com/en-us/download]] If none of this works you are doomed and need to try a different OS. However, debian or ubuntu are usually actually the best for {{{fglrx}}}, so you're probably still doomed. = Linux Servers = * At installation: * Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage * Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want. * The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline! * Add a root user and nuke the initial unprivileged user: * That's as simple as running `passwd` as a super user, re-logging in as root and running `deluser` on the original user * If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer) * Set up DNS on [[Mooneye]]: * Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory * If zonemake has errors, go back and fix them before proceeding! * Use `rndc reload` to get bind to reload the zone files * Set up DHCP on [[Murasoi]]: * Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf * Restart the DHCP server with `service isc-dhcp-server restart` * Set up NFS: * Only do this once you have DNS set up and working properly * Add the machine to the /etc/exports files on the appropriate servers ([[Motsugo]] for /home, [[Molmol]] (or just host "away") for /away and nortel+onetel for /services). Reload the server config with `exportfs -r` (Linux) or `service mountd reload` (FreeBSD) * Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away * Add the fstab line (copy off [[Motsugo]] or something) * `mount -av` and hope * Configure the SSH server: * Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit * Ensure the correct banner file is set in /etc/ssh/sshd_config * Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config * Restart the SSH server and confirm all working * Add the UCC root SSH keys: * Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run) * For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder * Start an ssh-agent using {{{eval `ssh-agent`}}} and authenticate your root key using {{{ssh-add ~<username>/.ssh/id_rsa}}}, then run the updated push.sh script * Setup Active Directory. Follow the instructions at [[ActiveDirectory]] * Install dispense: Go to {{{/home/wheel/tpg/gitclones/opendispense2}}}, run {{{make -C src/client clean all}}} and copy {{{dispense}}} to {{{/usr/local/bin}}} on the target server. * Install postfix, set the mail host to {{{mailhost.ucc.gu.uwa.edu.au}}} * To have mail delivered locally, see [[http://www.postfix.org/STANDARD_CONFIGURATION_README.html|http://www.postfix.org/STANDARD_CONFIGURATION_README.html]] * Packages to install: ##these are formatted like this so you can paste them straight into the terminal after apt-get install, keep them in alphabetical order please. [BOB] . {{{ alpine apache2 biff finger fish joe ladvd logwatch molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd rkhunter rssh screen subversion sudo strace sxid tig tmux tshark vim zsh }}} * For file servers, you should also install: . {{{ acl clamav iotop nfs-common nfs-kernel-server }}} * Copy rkhunter.conf, mailname from another server * Install the UCC motd system on machines which mount /home: * Add the following line to /etc/inetd.conf: . {{{ motda stream tcp nowait root /home/wheel/bin/motd.update.sh motda }}} * Also add the following line to /etc/services (keeping things in order!): . {{{ motda 377/tcp # UCC MOTD update }}} * Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers) * Add the following line to the bottom of /etc/rsyslog.conf to enable central logging . {{{ *.* @130.95.13.1 }}} ---- CategorySystemAdministration |
This page is intended as a guide to set up UCC machines in some sort of standard way. Please update this if you find any problems when installing things (especially if using newer versions than described here).
Contents
Steps marked with require a wheel member, anything else can be done by a winadmin.
Before you start
Steps to do before installation
Add forward and reverse DNS entries for the machine.
Add the machine to DHCP.
Make sure all licenses required are on hand (see /home/wheel/docs/software-license/ on a user server)
Steps to do after
- Check everything works as expected
Email [email protected] with a summary of what was set up/re-installed
Dualboot Machines
These instructions relate to Dualbooting Windows 10 and Linux Mint. If installing a dualboot machine, always install Windows first where possible.
- Install Windows following the steps below. Make note of the following:
- Depending on the size of the disk, try to reserve up to 500GB or more for Windows.
- Linux works fine on anything down to about 100GB but 200GB+ is preferable.
- to be completed...
Windows 10
All new Windows machines in UCC should be installed with Windows 10 by default. Previous versions are deprecated.
- Find a Windows install disk or make a new one. Make sure you select the Professional edition.
- Plug in the install disk and boot from it.
- Select the US keyboard layout and Australian time/date format.
- Agree to the license terms etc.
- Partition the disks.
- Delete all existing partitions (if any) on the designated install disk.
- Select the empty space and click "New" to create a new partition. Enter the desired size or use the whole disk (if not doing dualboot).
Create a dummy user account (call it something like accmurph)
- Finish the installer. Once it has rebooted into the new Windows system and you have logged in you can continue.
- Install software.
- Software in this list should either be free to download and install, or something that the UCC has a license for.
Open Powershell as Administrator and run the following:
Set-ExecutionPolicy Bypass; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) choco install -y googlechrome firefox flashplayerplugin microsoftsecurityessentials keepass.install notepadplusplus.install 7zip.install discord javaruntime vlc chocolateygui opera foxitreader hwmonitor paint.net gimp inkscape adobereader libreoffice winscp.install putty miktex texstudio windirstat lyx
Install Steam and Battle.net to the games drive (if any).
Install the ocsinventory agent from https://www.ocsinventory-ng.org/en/.
This software maintains a registry of all our hardware and is used to determine which machines need upgrading. The server to point it at is https://ocsinventory.ucc.asn.au/ocsinventory and turn off SSL cert verification. No auth is required.
Configure the system for the UCC network. (type any commands below into the Administrator Powershell window you just opened)
Delete the dummy user created during install, enable the local Administrator account and set the password:
net user accmurph /delete net user Administrator /active:yes net user Administrator <Clubroom Password>
Join the machine to the domain UCCDOMAYNE as described in ActiveDirectory#Windows.
REBOOT.
You may need to manually set the time if it is out of sync, run Command Prompt (not powershell!) as administrator and use the command time HH:MM:SS
Force update group policy on the machine (now in the admin Command Prompt window):
gpupdate /force
Once Group Policy has been successfully applied (or before the machine is joined to the domain at all) you can force an NTP time sync with w32tm /resync /force
Add static route for 130.95.13.0/26: (This prevents a VPN connection from trying to steal the default route to users home directories.)
route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65
Enable pings (alternatively, follow this guide):
netsh firewall set icmpsetting 8 enable
Add the UCC printer blacklight and set it as the default.
Linux Desktops
Linux Mint x64 Cinnamon (not the LMDE / Debian version) is the only Linux installation we support.
These instructions have been updated and checked with Linux Mint 19.1 - please update them to be compatible with any newer versions if you choose to install them.
- Find or create an install USB.
Download the ISO from https://www.linuxmint.com/download.php onto an existing Linux system.
wget http://mirror.waia.asn.au/pub/linux/linuxmint/linuxmint-isos/linuxmint.com/stable/19.1/linuxmint-19.1-cinnamon-64bit.iso
Plug in the USB and get the device node with lsblk (look at the size of each drive)
Copy the image to the USB: (this will take a few minutes)
sudo dd if=linuxmint-19.1-cinnamon-64bit.iso of=/dev/sde bs=1M; sync;
- Boot from the USB and run the installer.
- Partition the disks. Select "something else" rather than the automagic guided options.
- If you are setting up dualboot, do NOT delete any Windows-related partitions.
- Create a new partition for the Linux system, leaving 8-16GB unused (for the swap, this should be the same as the size of memory in the system).
Use as ext4 file system and use / as the mount point.
- Create a swap partition, format swap and use as swap, using the remaining space.
Configure a dummy user, for example accmurph.
- Use sensible values for the other options.
- Boot into the newly installed system and configure it.
Set up Active Directory
Ensure wheel group and sprocket group have sudo permission: sudo visudo
%wheel ALL=(ALL:ALL) ALL %sprocket ALL=(ALL:ALL) ALL
Modify /etc/fstab to mount /away. Use something like this (can differ with distro):
# This line needs to be ABOVE the line that mounts swap, otherwise nfs fails to automount away.ucc.gu.uwa.edu.au:/space/away/home /home nfs nfsvers=3,auto,rw,tcp,nosuid,nodev,rsize=8169,wsize=8169,soft,x-systemd.device-timeout=10,x-systemd-requires=network.target 0 1
Network configuration is via DHCP and handled entirely by NetworkManager.
Use a local package repository mirror with sudo mint-switch-to-local-mirror
Install software.
sudo add-apt-repository "deb http://dl.google.com/linux/chrome/deb/ stable main" wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - sudo apt-get update sudo apt-get -y install adobe-flashplugin arduino blender build-essential cvs chromium-browser eclipse fish freeglut3-dev geeqie gimp glew-utils gnucash google-chrome-stable gtk2-engines-oxygen hugin inkscape jhead keepassxc ladvd libreoffice locate mplayer nasm nfs-common ocsinventory-agent openjdk-11-jdk openssh-server pepperflashplugin-nonfree pidgin python remmina remmina-plugin-rdp rdesktop rssh subversion thunderbird tig unattended-upgrades vim-gtk vlc zsh lyx texlive
The server URL for OCSInventory is ocsinventory.ucc.gu.uwa.edu.au
Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script
Install vivaldi browser (there's no repo package at the moment) - go to https://www.vivaldi.com and install from there
Set up the UCC printer blacklight
Open the Printers settings panel
- Add printer directly (list its hostname in the insert field)
- If the definition file cannot be located, download from the manufacturer's website (some googling may be required)
Log in as your own user (reboot if necessary to do so) and go to login window preferences in the main menu
- Set theme to elegance
- Go to options and deselect "automatically select the last logged in user"
- Also change the default session from "Automatically detected" to "cinnamon"
Delete the initial user: sudo userdel -r accmurph (ignore any errors)
Proprietary NVidia Drivers
NOTE: nouveau is preferred if it works, as it integrates with the kernel.
Locate the driver edition for the card (the major number of the driver version specified on http://www.nvidia.com/Download/index.aspx?lang=en-us)
- DON'T DOWNLOAD FROM HERE
- Remember to select "Linux x64" as the OS
Install the relevant package sudo apt-get install nvidia-<VER>
E.g. nvidia-340 for the GeForce 9600
- Reboot
If the graphics don't work (e.g. falls back to software rendering), sudo apt-get purge nvidia-<VER>
Graphics Don't Work?
If you get messages like "Hooray! GNOME3 won't work because your graphics hardware does not support it", or glxinfo segfaults, or glxgears does not show anything, then you have entered the wonderful world of troubleshooting graphics drivers!
NVidia should just work. If you have problems, remove the nouveau driver and replace it with the non-free nvidia driver.
If things seem totally fucked, you probably have an AMD graphics card. Eg:
$ lspci | grep vga 00:01.0 VGA compatible controller: Advanced Micro Devices [AMD] nee ATI BeaverCreek [Radeon HD 6550D]
You have two options; if one doesn't work try the other.
Install the debian non-free version of fglrx which may or may not explode
Install the official AMD fglrx which will definitely explode but may take longer to do so: http://support.amd.com/en-us/download
If none of this works you are doomed and need to try a different OS. However, debian or ubuntu are usually actually the best for fglrx, so you're probably still doomed.
Linux Servers
- At installation:
- Avoid setting package sources to the UWA mirror as they are frequently out of date. AARNET seems to be the most reliable mirror at this stage
- Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
- The UCC standard install has all volumes in LVM on md raid. Generally var and home are put on a separate logical volume to root. You had better have a good reason if you're not following this guideline!
- Add a root user and nuke the initial unprivileged user:
That's as simple as running passwd as a super user, re-logging in as root and running deluser on the original user
- If the machine has an SSD (or several thereof), ensure that TRIM (aka discard) is enabled at all layers (lvm and disk layer)
Set up DNS on Mooneye:
- Add an entry to /etc/bind/domains/primary/ucc.machines then close the file and run zonemake.py in the same directory
- If zonemake has errors, go back and fix them before proceeding!
Use rndc reload to get bind to reload the zone files
Set up DHCP on Murasoi:
- Add the ethernet (MAC) address /etc/dhcp/dhcpd.conf
Restart the DHCP server with service isc-dhcp-server restart
- Set up NFS:
- Only do this once you have DNS set up and working properly
Add the machine to the /etc/exports files on the appropriate servers (Motsugo for /home, Molmol (or just host "away") for /away and nortel+onetel for /services). Reload the server config with exportfs -r (Linux) or service mountd reload (FreeBSD)
- Remember that only machines on the machine room subnet and physically within the machine room should mount /home while pretty much every machine should mount /away
Add the fstab line (copy off Motsugo or something)
mount -av and hope
- Configure the SSH server:
- Copy the SSH banner (usually in /etc/issue.net) from another server and modify it to suit
- Ensure the correct banner file is set in /etc/ssh/sshd_config
- Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
- Restart the SSH server and confirm all working
- Add the UCC root SSH keys:
- Add the hostname to /home/wheel/bin/uccroot/push.sh (this will add wheel keys to the machine when the script is run)
For adding non-wheelians to certain machines, add their public key to the <machine name>-extra in that same folder
Start an ssh-agent using eval `ssh-agent` and authenticate your root key using ssh-add ~<username>/.ssh/id_rsa, then run the updated push.sh script
Setup Active Directory. Follow the instructions at ActiveDirectory
Install dispense: Go to /home/wheel/tpg/gitclones/opendispense2, run make -C src/client clean all and copy dispense to /usr/local/bin on the target server.
Install postfix, set the mail host to mailhost.ucc.gu.uwa.edu.au
To have mail delivered locally, see http://www.postfix.org/STANDARD_CONFIGURATION_README.html
- Packages to install:
alpine apache2 biff finger fish joe ladvd logwatch molly-guard mosh ncurses-term ocsinventory-agent openbsd-inetd rkhunter rssh screen subversion sudo strace sxid tig tmux tshark vim zsh
- For file servers, you should also install:
acl clamav iotop nfs-common nfs-kernel-server
- Copy rkhunter.conf, mailname from another server
- Install the UCC motd system on machines which mount /home:
- Add the following line to /etc/inetd.conf:
motda stream tcp nowait root /home/wheel/bin/motd.update.sh motda
- Also add the following line to /etc/services (keeping things in order!):
motda 377/tcp # UCC MOTD update
- Finally, run vimotd as root on mussel, add the appropriate information and save the file (which then triggers a global motd push to all servers)
- Add the following line to the bottom of /etc/rsyslog.conf to enable central logging
*.* @130.95.13.1