Contents
Initial install
Using a suitable CD1, do a basic ubuntu install23 and then the machine can be setup using either std Lab or manual commands.
Basic ubuntu install
Do a std ubuntu install, but
- use a static address
if to be "lab Managed", create a local user localadmin which will be used by COs for local admin if needed.
partition the discs into suitably sized partitions4 of some power of 2 of 1077MB (which is 131 cylinders of 255 heads and 63 sectors), e.g. 8620, 8620 and 17240 for the three primary partitions sda1, sda2 and sda3.
If using two HDDs, repeat for sdb and set up sda3 and sdb3 as RAID1 md3 for the root FS (if doing it manually, use "-z 6000000" to use 6GB).
If using a single SSD, set sda3 as ext4 and set it to mount as the root FS. Also consider loading a rescue Ubuntu Server image (needs 1.2 GB) such as may be available in /a/misc-nosnap1/distros/ubuntu/images/
- as machines tend to have decent amounts of memory, we do not initially allocate any swap.
- set to boot if RAID is degraded.
Disabling dmraid
If FakeRAID has been used before (e.g. a Windows box), disabling it in the BIOS may not be sufficient to make it go away. Fedora takes a nodmraid kernel flag. For Debian, "apt-get purge dmraid" and it should work. Otherwise copy /dev/zero to the end of the discs (see /proc/partitions for the disc size in kB)
Basic lab setup
To perform a basic Lab setup, login as localadmin and run the bootstrap script, e.g.
wget www/deb/bs && sudo bash bs
or
sudo bash <(wget -O - www/deb/bs)
and press "Return" to most (all?) questions, and it will setup access to the local repository, load "standard" packages, and perform some basic tailoring.
If krb5 is to be used for login and to access the filer, a keytab will be needed. If you cannot create one, ask win-admin to run C:\Scripts\keytab_cmd.vbs on an adsrv* machine, then /usr/groups/admin/kerberos/copykeytab2host on an omnipotent Linux server.
Reboot the machine and check that it works.
Manual setup
An alternative to a Std Lab setup, individual components can be manually configured.
Basic setup
Without a std Lab setup, the most basic steps are to gain access to the local repository
(cd /tmp; wget www/deb/cl.deb; sudo dpkg --force-bad-verify -i cl.deb) sudo apt-get update
and then allow the main lab server (misbourne and sandy) by loading the relevant package
sudo apt-get install cl-root-cl-authorized-keys
iptables: ufw / firestarter
All machines in the department, regardless of which subnet they are on, should have their own IP filtering in addition to that provided by the Lab router.
iptables: ufw
The standard tool to manage iptables under Ubuntu is ufw. It is enabled or disabled by ENABLED= in /etc/ufw/ufw.conf. To enable IPv6 filtering, "IPV6=yes" needs to be set in /etc/default/ufw. This should be done before configuration as rules without IPv4 or IPv6 addresses apply to both protocols. The default policy (e.g. ACCEPT or DROP) is determined by /etc/default/ufw, and the user rules are in /var/lib/ufw/user.rules and /var/lib/ufw/user6.rules. The firewall can be reloaded using "ufw enable", and inspected using "ufw status". /etc/ufw/applications.d/$app can define an application, e.g. /etc/ufw/applications.d/openssh-server has
[OpenSSH] title=Secure shell server, an rshd replacement description=OpenSSH is a free implementation of the Secure Shell protocol. ports=22/tcp
Sample rules are
ufw allow from 128.232.9.254 to any app OpenSSH # Log nagios ufw allow from 128.232.10.53 to any app OpenSSH # probes ufw allow from 2001:630:212:267:216:3eff:fee8:9fe to any app OpenSSH # separately ufw allow from 2001:630:212:267:216:3eff:fee8:a35 to any app OpenSSH # IPv[46] ufw allow from 128.232.0.0/17 to any app OpenSSH # Log internal ssh ufw allow from 2001:630:212:200::/56 to any app OpenSSH # access separately ufw allow OpenSSH # Any ssh (IPv[46]) ufw deny proto udp to 255.255.255.255 # Avoid noise ufw deny proto udp to 128.232.15.255 # in the logs ufw allow proto tcp from 128.232.0.0/16 to any port auth # Allow "auth" from ufw allow proto tcp from 131.111.0.0/16 to any port auth # CL and CS IPv4 services ufw allow proto tcp from 2001:630:212::/48 to any port auth # ... and IPv6 ufw allow proto tcp from 128.232.13.0/24 to any port 5900 # On XenE domUs (dis)allow ufw deny proto tcp from 128.232.14.0/24 to any port 5900 # XenCenter VNC access
iptables: firestarter
The standard tool under debian is firestarter. It does not have fine control (e.g. it always operates on both UDP and TCP ports together). It can be called as a command line "firestarter --generate-scripts" to use /etc/firestarter/configuration to generate a new /etc/firestarter/firewall. This sets the high level policies such as OUTBOUND_POLICY="permissive" which allows outgoing traffic by default. Files such as /etc/firestarter/inbound/allow-service sets the finer control, selecting extra incoming ports, in the form
name, port, source, comment
where a source of everyone means 0.0.0.0/0. A suitable file (with redundant rules which allow actual use to be seen) might be
SSH, 22, 128.232.9.254, nagios-serv0 SSH, 22, 128.232.10.53, nagios-serv1 SSH, 22, 128.232.0.0/20, VLAN 100 SSH, 22, 128.232.0.0/17, CL SSH, 22, everyone, internet Auth, 113, 128.232.0.0/17, Internal auth requests only
The firewall can be reloaded using "invoke-rc.d firestarter restart"
iptables: Nexenta
Nexenta has neither ufw nor firestarter, and no iptables.
RAID setup
If RAID is used for the root FS, recent ubuntu systems have the facility to allow automatic booting even if the RAID is degraded. The kernel option "bootdegraded=true" does it, as does setting "BOOT_DEGRADED=true" in /etc/initramfs-tools/conf.d/mdadm, e.g. using "dpkg-reconfigure mdadm".
Other setup
Various other configurations need settup up, such as diabling incoming password based incoming ssh, enabling CUPS access, and such like5
Tidyups
To purge packages which are no longer needed, use "cl-asuser apt-get autoremove".
To purge the repository cache, use "cl-asuser apt-get clean".
On xen systems ONLY, any "-server" or "-generic" kernel packages can be removed. "cl-asuser apt-get remove $(dpkg -l linux-image\*-generic linux-image\*-server | sed -n 's/^ii *//p' | sed 's/ .*//')".
Quick conversions from RPM
Below are some quick conversions which may be of help for users of RPM distributions
rpm -> dpkg
rpm -qa: dpkg -l
rpm -ql: dpkg -L
rpm -qf: dpkg -S (or "apt-file search", "apt-cache search", "/usr/lib/command-not-found" or web)
Package names are all lower case, and rather than $language-$name tend to be lib$name-$language, e.g. perl-XML-DOM becomes libxml-dom-perl.
yum/yast -> apt-get (and dpkg)
yum clean all: apt-get update (updates the meta data, so needed often)
yum update: apt-get upgrade (actually updates the packages)
yum search: dpkg -l (give an anchored regular expression)
yum list: dpkg -l
Non obvious package names (xfce, flash)
xfce: xubuntu-desktop
flash: flashplugin-installer
Others may have the obvious name, but require an indirect install by adding an extra repository.
Reconfiguration (dpkg-reconfigure)
Settings may need to be reconfigired using "cl-asuser dpkg-reconfigure $package", e.g.
keyboard: console-setup for TTY VCs, and xserver-xorg for X
Packages
The Lab debian repository can be made available by fetching the cl-debian package and installing it
cd /tmp; wget www.cl.cam.ac.uk/deb/cl.deb; dpkg --force-bad-verify -i cl.deb
This creates a file /etc/apt/sources.list.d/cl.list containing
deb http://www.cl.cam.ac.uk/deb CL all
telling it to contact the www.cl.cam.ac.uk server and look in deb/dists/CL/all/binary-{{solaris-,}i386,am64}; and a public Lab GPG key in /usr/share/keyrings/cl.cam.ac.uk-archive-keyring.gpg which it installs using "apt-key add" (use "apt-key list" and look for "cl.cam.ac.uk").
Once set up local packages can be added in the normal way using "apt-get install".
Package HACKs (e.g. xv)
Some packages are available from non standard Ubuntu/debian repositories, so have to have the repository added the the list (it may bring in non-standard other packages), or have the .deb file copied into a Lab repository (so needs manual management each time there is a new version).
Some are available as .deb files, but not in any repository, so need to be copied to a Lab one.
Some are not available as .deb, but are available as .rpm, in which case the excellent alien command can be used to convert it to a .deb, and then add it to a Lab repository.
In a few cases, it doesn't work perfectly.
xv: the 64b version of xv (from rpmfusion) uses libtiff.so.3, but does not note this as a requirement. HACK:
find /usr/lib -name libtiff.so.4 -execdir sudo ln -s libtiff.so.4 libtiff.so.3 \;
indirect installs (e.g. acroread)
In some cases it is necessary to install a "release" package, or otherwise, in order to add a new repository, before the package itself can be installed. Run "apt-get update" to make the packages from the repository available.
acroread: jaunty / 9.04 and later: add the partner respository.
acroread: (a 32b version) pre jaunty / 8.04: add the cl-medibuntu package (local copy of medibuntu); jaunty / 9.04 and later: add the canonical "partner" repository.
acroread-plugins, mozilla-acroread: cl-medibuntu (local copy of medibuntu) installs plugins for firefox
To enable the partner respository, using something such as
sudo apt-add-repository "deb http://archive.canonical.com/ $(lsb_release -sc) partner"
or using a GUI such as "System -> Administration -> Software Sources -> Third Party Software" or "System -> Software Sources -> Other Software" to tick the "http://archive.canonical.com/ubuntu jaunty partner" box (the "jaunty" will change between releases) which should uncomment the line such as
deb http://archive.canonical.com/ubuntu jaunty partner
in /etc/apt/sources.list. Alternatively, as a quick HACK, create a new file such as /etc/apt/sources.list.d/canonical-partner.list containing just that line.
To add a "release" package, run commands such as
cl-asuser apt-get install cl-medibuntu cl-asuser apt-get update cl-asuser apt-get install acroread mozilla-acroread acroread-plugins
and if it works, add the packages to /etc/user-config/bundles.
ppa upgrade (e.g. firefox)
If packages more recent than the standard distribution versions are wanted, it may be possible to add a repository which has later versions. On lucid or maverick, later versions of firefox can be installed using
sudo add-apt-repository ppa:mozillateam/firefox-stable
Upgrades
As noted, contact sys-admin before upgrading a distribution to check that it's likely to work, and to allow the state of the machine to be maintained.
The safest things to do is to do a fresh install into a new OS partition, as it is simple to use GrUB to boot into the previous version.
If doing an upgrade, save a snapshot in case it fails. On a VM, take a snapshot. On a real machine with RAID1, break the mirror.
On old versions of Ubuntu <11.04 the upgrade process does not appear to check that there is sufficient space available before starting. Check that there is enough free space - U10.10 to U11.04 appears to need around 500MB (but if you have lots of packages could exceed 2GB).
Do the upgrade using "sudo do-release-upgrade". When asked whether to keep a configuration file or use the implementer's version, use "y" to select the latter. This ensures that the configuration file will be based on one appropriate for the current version of the code. A run of cl-system-update will apply the std Lab patches to configure them.
Central Management
The following subsections are intended for central administrators rather than users.
Local repository
A local repository is being built to contain "extra" packages. dpkg-scanpackages is used to generate the Packages.bz26 files, whose checksums7 are recorded in Release, whose signature is recorded in Release.gpg.
See above for setting up a client to use the repository.
As ubuntu is moving away from Xen to KVM, getting linux-image-*-xen is becoming less easy. May need to copy from debian or launchpad into the local repository8.
Converting RPMs
Local RPMs can be converted to .deb packages using alien, e.g. using /usr/groups/linux/redhat/cl/RPM-noarch/make-deb. The script automatically performs the commands below.
Updating Packages*
After new packages are added, the Packages* files need to be regenerated, which can be done using /usr/groups/linux/debian/deb-rep.
secure apt
secure apt allows the checksum for the Packages* files to be put in the Release file, and have a detached signatire file Release.gpg signed using a Lab key. This is done using "make Release.gpg" in /usr/groups/linux/debian/repos/ (which deb-rep does).
HACKs
Errors were encountered while processing: grub
/var/lib/dpkg/info/grub-pc.postinst does not use /dev/disk/by-uuid so may be unable to configure GrUB. There is a patch in /global/src/etc/manage-scripts/patches
Ubuntu 12.04 issues
Can't enter username on the login screen
11.10 and 12.04 use LightDM as display manager, and are configured to use a GUI login prompt that only permits selection of local users. You can change this by editing /etc/lightdm/lightdm.conf to have
greeter-hide-users=true allow-guest=false
or by installing lightdm-gtk-greeter, if it's not already installed, and changing the greeter-session line in /etc/lightdm/lightdm.conf to use it
greeter-session=lightdm-gtk-greeter
Footnotes
1 iso images may be found in /a/misc-nosnap1/distros/ubuntu
2 U8.10amd64 gave disc errors on desktop and alternate CDs
3 had to unplug the external disc on swatch to avoid the GrUB install from crashing
4 any residue at the end can be allocated to increasingly smaller powers of two
5 should have a page describing what configuration should performed for all machines on a Lab network
6 older clients may need .gz
7 actually the checksum of Packages is needed, rather than that of Packages.bz2
8 http://forums.citrix.com/thread.jspa?messageID=1389844 has xen install instructions via FV