Differences between revisions 87 and 88
Revision 87 as of 2011-03-03 14:45:09
Size: 11921
Editor: cichlid
Comment:
Revision 88 as of 2011-03-04 16:31:22
Size: 11961
Editor: characid
Comment:
Deletions are marked like this. Additions are marked like this.
Line 210: Line 210:
build-essential bzflag cvs chromium-browser gnome-desktop-environment nfs-common nslcd ocsinventory-agent openjdk-6-jdk subversion thunderbird vim zsh build-essential bzflag cvs chromium-browser gnome-desktop-environment nfs-common nslcd ocsinventory-agent openjdk-6-jdk openssh-server subversion thunderbird ubuntu-restricted-extras vim zsh

One day, it would be nice to have a standard operating environment for UCC clubroom machines. Currently the state of them could be described as varying degrees of broken, partly due to having no defined procedure for setting them up. The purpose of this page is to brainstorm what this procedure should be.

Steps marked with <!> require a wheel member, anything else can be done by a winadmin.

Windows Profiles

Please see WindowsProfiles for more information on how these work / how you should manage them.

Windows 7

Steps to do before/during installation

  • Add forward and reverse DNS entries for the machine. <!> Not essential for setup

  • Add the machine to DHCP. <!> Not essential for setup

During/after installation

  • Install Win7 Pro, not the home edition, or you won't be able to add it to the domain
  • Make sure you create at least 3 disk partitions - one for windows, one for games/other, and one or more for linux
  • Enable the Administrator account and set a password, nuke the user you created during install
    • Handy hint: Instead of logging in with LOCALMACHINENAME\Administrator, log in with .\Administrator
  • Install F-Prot antivirus, <!> You will need a wheel member to give you the registration key

  • Install device drivers (graphics and sound most importantly).
  • Run the registry hack from http://wiki.samba.org/index.php/Windows7 - you won't be able to add the machine to the domain without doing this)

  • Configure it to be part of the domain 'UCCDOMAIN'. (Control Panel, System, Advanced System Settings, Computer Name) Ignore the error message

  • Install and configure wpkg.
    • Both the client installer and the config files will be in //Mylah/wpkg
    • Import settings using the "import settings" button from //Mylah/wpkg/settings.xml
    • Go into service management and change the WPKG Service startup type to Automatic (Delayed Start) This step is essential, wpkg will not work without it

    • Restart the computer
  • Set up printing.
  • Add Winadmins to computer administrators.
  • Add static route for 130.95.13.0/26: at a command prompt, type

route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65

  • This prevents a VPN connection from trying to steal the default route to users home directories.

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is easily deployed with WPKG.

Installed automatically via WPKG

  • Putty
  • OpenOffice

  • Firefox
  • Security policy to hide last logged in user
  • Windows experience index test after initial install
  • WinSCP

  • OCS Inventory
  • FoxIT Reader

  • GIMP
  • Ario (MPD client: http://ario-player.sourceforge.net/)

  • Xming
  • Inkscape
  • CD Burning Software: InfraRecorder (isorecorder is no longer needed, as infrarecorder can do images)

Install by hand

Windows XP

Steps to do before/during installation

  • Add forward and reverse DNS entries for the machine. <!> Not essential for setup

  • Add the machine to DHCP. <!> Not essential for setup

  • Add the machine template to Samba. As root on Mylah, run /home/wheel/bin/ucc-addwinpc computername. <!>

During/after installation

  • Install Windows XP SP3 and configure it to be part of the domain 'UCCDOMAIN'.
  • Install device drivers (graphics and sound most importantly).
  • Set up printing.
  • Add Winadmins to computer administrators.
  • Configure WPKG. Install WPKG Client 1.3.9.msi, and load settings.xml using 'import settings', both in //mylah/wpkg

    • As winxp is no longer the default profile, you will need to edit /wpkg/hosts.xml and make an entry for the machine
  • Turn Windows Updates on to fully-automatic.
  • Add static route for 130.95.13.0/26: at a command prompt, type

route add -p 130.95.13.0 MASK 255.255.255.192 130.95.13.65

Software to install

Software in this list should either be free to download and install, or something that the UCC has a license for. Some preference is given to software which is easily deployed with WPKG.

What about...

  • ActiveState ActivePython and/or ActivePerl

  • Eclipse? Massive but apparently Java programmers love it
  • NetBeans? Not nearly as massive (but still quite large)

  • Komodo Edit, a rather nice lightweight programmers' editor
  • gVim, the logical alternative to the above
  • TortoiseSVN
  • Cygwin I vote no, it's horrible [DAA]

  • sequoiaview?
  • Hardware design tools like ..
  • SwitcherCADIII (free download with very active support list)
  • Ultium Designer (on at least one machine) or Free (limited) version of Eagle
  • Pushing the UCC CA out over WPKG? http://wpkg.org/SSL_CA_Install

  • Inkscape
  • The GIMP

Installed automatically via WPKG

Linux Servers

  • Add a root user and nuke the initial unprivileged user
  • Change sources.list to use UWA's mirror %s/au.archive.ubuntu.com/mirrors.uwa.edu.au\/ubuntu/
    • Beware of copying the apt_sources list from another server without copying the apt_preferences file too. You might suddenly find yourself with much newer versions of packages than you want.
  • Set up NFS:
    • Add the machine to DNS if it isn't there already
    • Add the ethernet (MAC) address to madako's /etc/dhcp3/dhcpd.conf if it isn't there already
    • Add the machine to the 'sharemgr share' output on Musundo
    • Add the fstab line (copy off martello or something)
    • mount -a and hope
  • Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.
    • Copy the ssh banner from another server and modify it to suit
    • Enable root ssh logins and X11 forwarding in /etc/ssh/sshd_config
  • Set up LDAP - you may need to use libnss-ldapd and libpam-ldapd on newer Ubuntu and Debian (as opposed to the old libnss-ldap)

    • Ensure nsswitch.conf uses ldap for groups, passwd, and services - the latter is not done by default on most configurations.
    • You will also need to copy /etc/groups from another server
  • Install dispense: copy /usr/local/bin/dispense, /usr/local/lib/libucc.so and /usr/share/man/man1/dispense.1.gz off a machine with a similar architecture
    • Requires: oidentd
    • Make sure you copy the files across after setting up ldap and copying the /etc/groups file across, otherwise the coke user doesn't exist and the permissions get set wrong when you copy the files.

    • Figuring out how to add a new dispense client is an exercise left to the reader :)

  • Install Phonehome:
    • apt-get install python-zsi rsync apt-listchanges

    • As root on mooneye, cd /usr/local/phonehome && ./setup.zsh $HOSTNAME

  • Install postfix, then edit the root: line of /etc/aliases to direct mail to the ucc hostmaster address, then run newaliases

  • Packages to install:

alpine apache2 biff build-essential cvs finger ircii irssi logwatch monotone ncurses-term openbsd-inetd ocsinventory-agent rkhunter screen subversion sudo sun-java6-jdk susv3 strace vim wireshark zsh 
  • The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au
  • For file servers, you should also install:

acl clamav iotop nfs-common nfs-kernel-server
  • Copy rkhunter.conf, pine.conf, mailname from another server
  • Install the UCC motd system on machines which mount /home: add the following line to /etc/inetd.conf:

motda   stream  tcp     nowait  root    /home/wheel/bin/motd.update.sh motda
  • Add the following line to /etc/rsyslog.conf

*.* @madako

Linux Desktops

  • Add a root user and nuke the initial unprivileged user
  • Change sources.list to use UWA's mirror %s/au.archive.ubuntu.com/mirrors.uwa.edu.au\/ubuntu/
  • Set up LDAP - you may need to use libnss-ldapd and libpam-ldapd on newer Ubuntu and Debian (as opposed to the old libnss-ldap)

    • apt-get install --no-install-recommends libnss-ldapd libpam-ldapd

    • Set server to ldaps://mussel.ucc.gu.uwa.edu.au/ ldaps://martello.ucc.gu.uwa.edu.au/ - do not use the ucc.asn.au domain

    • Set search base to dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

    • Check server SSL certificate: demand
    • wget -O /etc/ssl/UCC-CA.crt http://ucc.asn.au/UCC-CA.crt to copy the UCC certificate authority

    • Edit /etc/nslcd.conf and add the line tls_cacertfile /etc/ssl/UCC-CA.crt

    • Restart nslcd: /etc/init.d/nslcd restart

    • Edit /etc/nsswitch.conf to include for groups, passwd, and services - the latter is not done by default on most configurations.

    • The following pam instructions are 80% of what's required for lenny, but mostly useless for squeeze. Check out motsugo's pam.d directory for a newer example.
    • Edit /etc/pam.d/common-auth (order of unix & LDAP is important, as is use_first_pass rather than try_first_pass):

auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass
  • Edit /etc/pam.d/common-account (order of unix & LDAP is important):

account sufficient      pam_unix.so
account required        pam_ldap.so use_first_pass
  • Test: id accmurph should show uid=666(accmurph) gid=666(winadmin) groups=666(winadmin) - if so, libnss-ldapd is working.

  • Test: login and try your username and password - if ok, libpam-ldapd is working.

  • Modify /etc/fstab to mount /away
  • Add the UCC root SSH keys: add the hostname to /home/wheel/bin/uccroot/push.sh, then run that script.
  • Install Phonehome:
    • apt-get install python-zsi rsync apt-listchanges

    • As root on mooneye, cd /usr/local/phonehome && ./setup.zsh $HOSTNAME

Ensure the following packages are installed:

build-essential bzflag cvs chromium-browser gnome-desktop-environment nfs-common nslcd ocsinventory-agent openjdk-6-jdk openssh-server subversion thunderbird ubuntu-restricted-extras vim zsh
  • The server for ocs inventory is ocsinventory-ng.ucc.gu.uwa.edu.au


CategorySystemAdministration