This page has details of debian and Ubuntu systems, with info about light touch management and manual setup.

Initial install

Using a suitable CD1, do a basic ubuntu (or debian) install2 and then the machine can be setup using either std Lab or manual commands.

Basic ubuntu install

Do a std ubuntu (or debian) install, but

Disabling dmraid

If FakeRAID has been used before (e.g. a Windows box), disabling it in the BIOS may not be sufficient to make it go away. Fedora takes a nodmraid kernel flag. For Debian, "apt-get purge dmraid" and it should work. Otherwise copy /dev/zero to the end of the discs (see /proc/partitions for the disc size in kB)

Basic lab setup

To perform a basic Lab setup, login as localadmin and run the bootstrap script, e.g.

wget www/deb/bs && sudo bash bs


sudo bash <(wget -O - www/deb/bs)

and press "Return" to most (all?) questions, and it will setup access to the local repository, load "standard" packages, and perform some basic tailoring.

If krb5 is to be used for login and to access the filer, a keytab will be needed. If you cannot create one, ask win-admin to run C:\Scripts\keytab_cmd.vbs on an adsrv* machine, then /usr/groups/admin/kerberos/copykeytab2host on an omnipotent Linux server.

Reboot the machine and check that it works.

Manual setup

An alternative to a Std Lab setup, individual components can be manually configured.

Basic setup

Without a std Lab setup, the most basic steps are to gain access to the local repository

(cd /tmp; wget www/deb/cl.deb; sudo dpkg --force-bad-verify -i cl.deb)
sudo apt-get update

and then allow the main lab server (misbourne and sandy) by loading the relevant package

sudo apt-get install cl-root-cl-authorized-keys

iptables: ufw / firestarter

All machines in the department, regardless of which subnet they are on, should have their own IP filtering in addition to that provided by the Lab router.

iptables: ufw

The standard tool to manage iptables under Ubuntu is ufw. It is enabled or disabled by ENABLED= in /etc/ufw/ufw.conf. To enable IPv6 filtering, "IPV6=yes" needs to be set in /etc/default/ufw. This should be done before configuration as rules without IPv4 or IPv6 addresses apply to both protocols. The default policy (e.g. ACCEPT or DROP) is determined by /etc/default/ufw, and the user rules are in /var/lib/ufw/user.rules and /var/lib/ufw/user6.rules. The firewall can be reloaded using "ufw enable", and inspected using "ufw status". /etc/ufw/applications.d/$app can define an application, e.g. /etc/ufw/applications.d/openssh-server has

title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.

Sample rules are

ufw allow from                      to any app OpenSSH # Log nagios
ufw allow from                      to any app OpenSSH #  probes
ufw allow from 2001:630:212:267:216:3eff:fee8:9fe to any app OpenSSH #  separately
ufw allow from 2001:630:212:267:216:3eff:fee8:a35 to any app OpenSSH #  IPv[46]
ufw allow from                     to any app OpenSSH # Log internal ssh
ufw allow from 2001:630:212:200::/56              to any app OpenSSH #  access separately
ufw allow                                                    OpenSSH # Any ssh (IPv[46])
ufw deny  proto udp to # Avoid noise
ufw deny  proto udp to  # in the logs
ufw allow proto tcp from    to any port auth # Allow "auth" from
ufw allow proto tcp from    to any port auth #  CL and CS IPv4 services
ufw allow proto tcp from 2001:630:212::/48 to any port auth #  ... and IPv6
ufw allow proto tcp from   to any port 5900 # On XenE domUs (dis)allow
ufw deny  proto tcp from   to any port 5900 #  XenCenter VNC access

iptables: firestarter

The standard tool under debian is firestarter. It does not have fine control (e.g. it always operates on both UDP and TCP ports together). It can be called as a command line "firestarter --generate-scripts" to use /etc/firestarter/configuration to generate a new /etc/firestarter/firewall. This sets the high level policies such as OUTBOUND_POLICY="permissive" which allows outgoing traffic by default. Files such as /etc/firestarter/inbound/allow-service sets the finer control, selecting extra incoming ports, in the form

name, port, source, comment

where a source of everyone means A suitable file (with redundant rules which allow actual use to be seen) might be

SSH, 22,, nagios-serv0
SSH, 22,, nagios-serv1
SSH, 22,, VLAN 100
SSH, 22,, CL
SSH, 22, everyone, internet
Auth, 113,, Internal auth requests only

The firewall can be reloaded using "invoke-rc.d firestarter restart"

iptables: Nexenta

Nexenta has neither ufw nor firestarter, and no iptables.

RAID setup

If RAID is used for the root FS, recent ubuntu systems have the facility to allow automatic booting even if the RAID is degraded. The kernel option "bootdegraded=true" does it, as does setting "BOOT_DEGRADED=true" in /etc/initramfs-tools/conf.d/mdadm, e.g. using "dpkg-reconfigure mdadm".

Other setup

Various other configurations need settup up, such as diabling incoming password based incoming ssh, enabling CUPS access, and such like4


To purge packages which are no longer needed, use "cl-asuser apt-get autoremove".

To purge the repository cache, use "cl-asuser apt-get clean".

On xen systems ONLY, any "-server" or "-generic" kernel packages can be removed. "cl-asuser apt-get remove $(dpkg -l linux-image\*-generic linux-image\*-server | sed -n 's/^ii *//p' | sed 's/ .*//')".

Quick conversions from RPM

Below are some quick conversions which may be of help for users of RPM distributions

rpm -> dpkg

Package names are all lower case, and rather than $language-$name tend to be lib$name-$language, e.g. perl-XML-DOM becomes libxml-dom-perl.

yum/yast -> apt-get (and dpkg)

Non obvious package names (xfce, flash)

Others may have the obvious name, but require an indirect install by adding an extra repository.

Reconfiguration (dpkg-reconfigure)

Settings may need to be reconfigired using "cl-asuser dpkg-reconfigure $package", e.g.


The Lab debian repository can be made available by fetching the cl-debian package and installing it

cd /tmp; wget; dpkg --force-bad-verify -i cl.deb

This creates a file /etc/apt/sources.list.d/cl.list containing

deb CL all

telling it to contact the server and look in deb/dists/CL/all/binary-{{solaris-,}i386,am64}; and a public Lab GPG key in /usr/share/keyrings/ which it installs using "apt-key add" (use "apt-key list" and look for "").

Once set up local packages can be added in the normal way using "apt-get install".

Package HACKs (e.g. xv)

Some packages are available from non standard Ubuntu/debian repositories, so have to have the repository added the the list (it may bring in non-standard other packages), or have the .deb file copied into a Lab repository (so needs manual management each time there is a new version).

Some are available as .deb files, but not in any repository, so need to be copied to a Lab one.

Some are not available as .deb, but are available as .rpm, in which case the excellent alien command can be used to convert it to a .deb, and then add it to a Lab repository.

In a few cases, it doesn't work perfectly.

indirect installs (e.g. acroread)

In some cases it is necessary to install a "release" package, or otherwise, in order to add a new repository, before the package itself can be installed. Run "apt-get update" to make the packages from the repository available.

To enable the partner respository, using something such as

sudo apt-add-repository "deb $(lsb_release -sc) partner"

or using a GUI such as "System -> Administration -> Software Sources -> Third Party Software" or "System -> Software Sources -> Other Software" to tick the " jaunty partner" box (the "jaunty" will change between releases) which should uncomment the line such as

deb jaunty partner

in /etc/apt/sources.list. Alternatively, as a quick HACK, create a new file such as /etc/apt/sources.list.d/canonical-partner.list containing just that line.

To add a "release" package, run commands such as

cl-asuser apt-get install cl-medibuntu
cl-asuser apt-get update
cl-asuser apt-get install acroread mozilla-acroread acroread-plugins

and if it works, add the packages to /etc/user-config/bundles.

ppa upgrade (e.g. firefox)

If packages more recent than the standard distribution versions are wanted, it may be possible to add a repository which has later versions. On lucid or maverick, later versions of firefox can be installed using

sudo add-apt-repository ppa:mozillateam/firefox-stable


As noted, contact sys-admin before upgrading a distribution to check that it's likely to work, and to allow the state of the machine to be maintained.

The safest things to do is to do a fresh install into a new OS partition, as it is simple to use GrUB to boot into the previous version.

If doing an upgrade, save a snapshot in case it fails. On a VM, take a snapshot. On a real machine with RAID1, break the mirror.

On old versions of Ubuntu <11.04 the upgrade process does not appear to check that there is sufficient space available before starting. Check that there is enough free space - U10.10 to U11.04 appears to need around 500MB (but if you have lots of packages could exceed 2GB).

Do the upgrade using "sudo do-release-upgrade". When asked whether to keep a configuration file or use the implementer's version, use "y" to select the latter. This ensures that the configuration file will be based on one appropriate for the current version of the code. A run of cl-system-update will apply the std Lab patches to configure them.

Central Management

The following subsections are intended for central administrators rather than users.

Local repository

A local repository is being built to contain "extra" packages. dpkg-scanpackages is used to generate the Packages.bz25 files, whose checksums6 are recorded in Release, whose signature is recorded in Release.gpg.

See above for setting up a client to use the repository.

As ubuntu is moving away from Xen to KVM, getting linux-image-*-xen is becoming less easy. May need to copy from debian or launchpad into the local repository7.

Converting RPMs

Local RPMs can be converted to .deb packages using alien, e.g. using /usr/groups/linux/redhat/cl/RPM-noarch/make-deb. The script automatically performs the commands below.

Updating Packages*

After new packages are added, the Packages* files need to be regenerated, which can be done using /usr/groups/linux/debian/deb-rep.

secure apt

secure apt allows the checksum for the Packages* files to be put in the Release file, and have a detached signatire file Release.gpg signed using a Lab key. This is done using "make Release.gpg" in /usr/groups/linux/debian/repos/ (which deb-rep does).


Errors were encountered while processing: grub

/var/lib/dpkg/info/grub-pc.postinst does not use /dev/disk/by-uuid so may be unable to configure GrUB. There is a patch in /global/src/etc/manage-scripts/patches

Ubuntu 12.04 issues

Can't enter username on the login screen

11.10 and 12.04 use LightDM as display manager, and are configured to use a GUI login prompt that only permits selection of local users. You can change this by editing /etc/lightdm/lightdm.conf to have


or by installing lightdm-gtk-greeter, if it's not already installed, and changing the greeter-session line in /etc/lightdm/lightdm.conf to use it



  • 1 iso images may be found in /a/misc-nosnap1/distros/ubuntu/ (or debian/)

  • 2 had to unplug the external disc on swatch to avoid the GrUB install from crashing

  • 3 alternatively, on a new disc, let it use 'all' the disc as a single partition, then later shrink it down to 20GB

  • 4 should have a page describing what configuration should performed for all machines on a Lab network

  • 5 older clients may need .gz

  • 6 actually the checksum of Packages is needed, rather than that of Packages.bz2

  • 7 has xen install instructions via FV

SysInfo/Debian (last edited 2014-06-06 07:05:54 by host86-160-164-4)