######################################## # INSTALLATION (i.e. clean slate): # If you need a CDROM, see http://www.debian.org/CD/http-ftp/#stable and # get the i386 .iso and burn that to disk. NOTE: our PowerEdge 4600 only # has Intel 80532, a.k.a. Xeon Prestonia; and, our PowerEdge 1800 and 2800 # have the Intel 80546K, a.k.a. XEON IRWINDALE; all of which do not support # em64t, a.k.a. amd64; i.e. all are 32-bit servers). # NOTE: this machine is registered with hostmaster@pitt.edu; therefor, it # gets an IP address automatically (and its hostname and domain). ######################################## Boot to the Debian CDROM (i.e. put the disk in the drive and boot up the machine); which, for this document, is the i386 v5.0.3 (a.k.a. "Lenny" and note that if the current supported version changes, I wouldn't recommend running "sudo apt-get dist-upgrade", but rather follow along here (i.e. clean slate using the newer CDROM). At the Installation Boot Menu, just hit Enter; i.e. "Install" and not the Graphical install or Advanced options. Hit Enter, Enter, Enter (you know, English, United States, American English). Hit Enter (network card defaulted to eth0), hit Enter (hostname defaulted to "db1"), hit Enter (domain name defaulted to "neurobio.pitt.edu"), and again, hit Enter (for the default "eastern" time zone). Arrow down to "manual" (as opposed to one of the guided partitioning options) and Enter. Then, arrow down to the "#1 primary 30.4GB" partition (under 36.4GB MegaRAID with RAID 1) and hit Enter. Arrow up to the top, to "Use as:" and Enter and Enter again (to accept the default "ext3 journaling file system") and then arrow down to "Format the partition:" and hit Enter (to switch it to "yes, format it"), and then arrow down to "Mount point:" and Enter and Enter again (to accept the default "/ - root file system") and then arrow down to "done setting up the partition" and Enter. Then arrow to the "#1 primary 440.1GB" partition (under the second MegaRAID with RAID 5) and Enter and arrow to "Use as:" and Enter and Enter again (for default "ext3"); then arrow to "Mount point:" and Enter, then arrow to "Enter manual" and Enter and type "data" (minus the quotes so that the text field ends up "/data") and Enter, and finally (for this partition), arrow to "Done setting up the partition" and Enter (and NOTE: do *NOT* erase the data on this partition--not that you should be worried that you are going to do it, but don't select this step like we did for the above partition). Then finally, arrow down to "Finish partitioning and write changes to disk" and Enter (and arrow left to "Yes" and Enter, because you're sure). When prompted, type in the root password and Enter (and again), then type in your full name and Enter, username and Enter, and password and Enter (twice). When prompted to scan more cdrom images, just hit Enter (default to "no"); and again, arrow over to "no" when prompted to use a network mirror, and Enter (albeit the default and recommended is "yes"). Hit Enter when prompted about feedback (a.k.a. popularity contest), defaulted to "no". When prompted for what software to install, "Desktop environment" will be highlighted, just hit the space bar and hit Enter (to remove the asterisk inside the brackets and leave only "Standard system" with a mark). Hit Enter (default "yes" to install GRUB boot loader to the MBR). Hit Enter (to boot into your new system, yeah!). Log in as "root" and the password (from the setup above), and then put back in the Debian CD (as we will need it later)... ######################################## # CONTINUE INSTALLATION (i.e. install applications): # # note for firewall: # "tail -f /var/log/messages" to view the last few entries and the current # system warnings being added to the log, and then Ctrl and "c" to cancel # viewing (i.e. as opposed to "cat" with no flag, which shows the static # logfile at the time the command was run); note, this works because we # asked iptables in the second to last rule (below) to log everything (that # didn't match a previous rule) to the warning log (level 4); i.e. messages # note: all ports, like 3306 for mySQL (and 5432 for PostGREsql) had to be # opened on Pitt's hardware firewall also (email helpdesk@pitt.edu) # note: port 5900, 5901, etc. are not opened (i.e. VNC is not secure, so # we just tunnel over port 22; which, to get more verbose, is open to # 130.49.234.0/24, 10.195.8.0/26, 130.49.239.224/27, 136.142.58.32/27, # and 130.49.236.0/24 (our workstation zones) and both 136.142.142.40 # and 136.142.142.97 (Joan over in Neuroscience)--through the physical # firewall, but I only want to allow a few access (i.e. through the # software firewall below). Also, not using /etc/host.allow or host.deny # note: not really caring about the OUTPUT (or FORWARD) chain(s) # # note for all installations: # when prompted "…continue [Y/n]?", just hit Enter (i.e. yes) and when # prompted to insert the Debian CD, just hit Enter # USERNAME = your (lowercase) username and PASSWORDHERE = your password # note: http://dev.mysql.com/doc/refman/5.0/en/tutorial.html ######################################## apt-get install sudo pico /etc/sudoers # add "User_Alias ADMINS = USERNAME" (minus the quotes), and by all means, # add ", USERNAME" and so on; and, add "ADMINS ALL=(ALL) ALL", then hold # Ctrl and type "x" (to exit), type "y" (to save), and Enter (keep name). exit # log in with your username and password sudo pico /etc/apt/sources.list # and type in your password; but note: only have to the first time running # a "sudo" command; i.e. the rest of the sudo commands won't prompt # add "deb http://ftp.us.debian.org/debian lenny main", hold Ctrl and type # "x", then just type "y", and finally Enter (to keep the same name) sudo apt-get update sudo apt-get install iptables sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT sudo iptables -A INPUT -p tcp --syn -s 136.142.58.41 --dport 139 -j ACCEPT sudo iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT sudo iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN FLOOD DROP:" sudo iptables -A INPUT -p tcp --syn -j DROP sudo iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s --limit-burst 3 -j ACCEPT sudo iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP DOS DROP:" sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP sudo iptables -A INPUT -p udp -s 136.142.57.10 --sport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.57.10 --sport 53 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.188.76 --sport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.188.76 --sport 53 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.188.73 --sport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.188.73 --sport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.188.121 --sport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.15.13 --sport 53 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.127.11 --sport 53 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.188.46 --sport 67 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.57.225 --sport 137 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.140.17 --sport 137 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.185.225 --sport 137 -j ACCEPT sudo iptables -A INPUT -p icmp -s 136.142.3.21 --icmp-type 8 -j ACCEPT sudo iptables -A INPUT -p udp -s 130.49.237.32/27 -m multiport --sports 137,138,68 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.237.32/27 -m multiport --dports 139,445,22,3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.236.0/24 -m multiport --dports 139,445,22,3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.234.0/24 -m multiport --dports 139,445,22,3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.239.224/27 -m multiport --dports 139,445,22,3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.58.32/27 -m multiport --dports 139,445,22,3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 10.195.8.0/26 -m multiport --dports 139,445,22,3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.142.97 --dport 3306 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.142.40 --dport 3306 -j ACCEPT sudo iptables -A INPUT -p udp -s 130.49.237.7 --sport 137 -j DROP sudo iptables -A INPUT -p udp -s 130.49.237.47 --sport 5353 -j DROP sudo iptables -A INPUT -p tcp -j LOG --log-prefix "TCP DROP:" sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP DROP:" sudo iptables -A INPUT -p icmp -j LOG --log-prefix "ICMP DROP:" sudo iptables -A INPUT -p tcp -j DROP sudo iptables -A INPUT -p udp -j DROP sudo iptables -A INPUT -p icmp -j DROP su iptables-save > /etc/iptables exit sudo pico /etc/network/if-pre-up.d/iptables # then add "#!/bin/sh", "iptables-restore < /etc/iptables", and # "exit 0" (each on its own line), and Ctrl + "x", "y", and Enter sudo chmod 755 /etc/network/if-pre-ip.d/iptables sudo apt-get install openssh-server sudo apt-get install xfce4 sudo apt-get install iceweasel sudo apt-get install vnc4server vnc4server # type a password twice, which doesn't have to be the same as your login # (but 8 character max) and if you ever need to change it, run "vnc4passwd" pico /home/USERNAME/.vnc/xstartup # comment everything (i.e. "#" each line), but make sure if a line wraps, # that you backspace it back into place (i.e. back onto one line), then # uncomment (i.e. remove the "#") both "unset SESSION_MANAGER" and # "exec /etc/X11/xinit/xinitrc", add "exec /usr/bin/xfce4-session &" (to # the end), and Ctrl + "x", "y", and Enter sudo chmod 755 /etc/X11/xomot/xinitrc sudo mkdir /usr/X11R6/lib sudo mkdir /usr/X11R6/lib/X11 sudo ln -s /usr/share/fonts/X11 /usr/X11R6/lib/X11/fonts sudo pico /etc/init.d/vnc4server # type the following (including the "#" symbols) and the username2 example, # which is commented out, is for demonstration purposes; i.e. create those # lines for as many people who want to connect with VNC: #! /bin/sh # http://wiki.debian.org/LSBInitScripts ### BEGIN INIT INFO # provides: vnc4server # required-start: $network $remote_fs $syslog # required-stop: $network $remote_fs $syslog # default-start: 2 3 4 5 # default-stop: 0 1 6 ### END INIT INFO test -f /usr/bin/vnc4server || exit 0 username1=hunter3 # username2=USERNAME case "$1" in start) echo "Starting vnc4server." su $username1 -c "/usr/bin/vnc4server" # su $username2 -c "/usr/bin/vnc4server" ;; stop) echo "Stopping vnc4server." /usr/bin/vnc4server -kill :1 # /usr/bin/vnc4server -kill :2 ;; restart|force-reload) echo "Restarting vnc4server." $0 stop && $0 start ;; status) if [ ! -f /home/$username1/.vnc/db1:1.pid ] then echo "Status: vnc4server is NOT running for $username1." else echo "Status: vnc4server is running for $username1." fi # if [ ! -f /home/$username2/.vnc/db1:2.pid ] # then # echo "Status: vnc4server is NOT running for $username2." # else # echo "Status: vnc4server is running for $username2." # fi ;; *) echo "Usage: /etc/init.d/vnc4server {start|stop|restart|force-reload|status}" exit 1 ;; esac exit 0 # and then Ctrl and "x", "y" and Enter sudo chmod 755 /etc/init.d/vnc4server sudo update-rc.d vnc4server defaults # and to undo the references created above (i.e. not have the vncserver # startup automatically), just run "sudo update-rc.d -f vnc4server remove" sudo apt-get install mysql-server-5.0 # will be prompted for a MySQL root password, which doesn't have to be # the same as the OS root (but I made it the same). sudo usermod -a -G mysql USERNAME # note: to remove a user from all groups, run "sudo usermod -G username # username" or to re-define which groups, run with groups comma separated # i.e. "sudo usermod -G groupname,anothergroup username"; and, to see what # groups a person is in, run "groups username"; and, didn't have to create # the "mysql" group (i.e. no need to "sudo groupadd mysql") sudo chgrp mysql /data/Backup # note: ran "sudo mkdir /data/Backup", "sudo chmod 775 /data", and # "sudo chmod 775 /data/Backup" back when this was first built; i.e. you # would only need to run these commands again if on a brand new machine mysql -u root -p # type in the root password, then at the "mysql> " prompt, run: create database cnup; grant all on cnup.* to USERNAME@localhost; grant all on cnup.* to cnupWrite@cnup.neurobio.pitt.edu; grant select on cnup.* to cnupRead@cnup.neurobio.pitt.edu; set password for USERNAME@localhost = password('PASSWORDHERE'); set password for cnupWrite@cnup.neurobio.pitt.edu = password('PASSWORDHERE'); set password for cnupRead@cnup.neurobio.pitt.edu = password('readm3!'); select user,host,db,select_priv,insert_priv from mysql.db; # IF above shows a blank user, run the following two commented commands: # use mysql; # delete from db where user = ' '; quit rm .mysql_history # note: any time you add a user, log in as root; and, anytime you want to # add a password (only necessary once per username), because you're typing # in their password, you will want to del the mysql prompt's history pico .my.cnf # add "[mysqldump]" and "password=PASSWORDHERE", Ctrl = "x", "y", Enter chmod 600 .my.conf sudo pico /etc/mysql/my.cnf # comment (i.e. add a "#" to the beginning of the line) out "bind-address" # which is currently set to 127.0.0.1 (i.e. only allow localhost access), # as we do want to use this as a backend server (i.e. connect to it from # Pitt's EWI servers), Ctrl + "x", "y", and Enter mysql use cnup source /data/Backup/cnup.sql quit # note: to manually backup, "mysqldump cnup > /data/Backup/cnup.sql" # sudo apt-get install php5 sudo apt-get install smbclient smbfs # type "NEUROBIOLOGY" and Enter (for workgroup/domain) # arrow left to "Yes" and Enter (smb.conf to get DHCP provided WINS) sudo mkdir /mnt/smbshares sudo mount -t smbfs //130.49.237.41/staff$ /mnt/smbshares -o username=USERNAME # or replace //server/share with whatever; e.g. //130.49.237.42/temp and # then "ls /mnt/smbshares" to verify there are files there; i.e. but using # them is a whole other lesson! sudo apt-get install zip sudo apt-get install openoffice.org # the following two lines could be useful for DVD playback: # sudo apt-get install totem-xine libxine1-ffmpeg libdvdread4 # sudo /usr/share/doc/libdvdread4/install-css.sh sudo pico /etc/apt/sources.list # add "deb http://www.backports.org/debian lenny-backports main contrib # non-free" and "deb http://www.debian-multimedia.org lenny main non-free", # hold Ctrl and type "x", then "y", and Enter sudo apt-get update sudo apt-get install debian-backports-keyring debian-multimedia-keyring # note: usually asked (e.g. "…continue [Y/n]?"), which is defaulted to Yes # (i.e. just hit Enter), but this time the question is "Install these # packages without verification [y/N]?"), which is defaulted to No, so type # "y" and Enter (not just Enter like normally) sudo apt-get install acroread sudo apt-get install flashplugin-nonfree sudo pico /etc/apt/preferences # add "Package: flashplugin-nonfree", "Pin: release a=lenny-backports", # and "Pin-Priority: 999" sudo mkdir /usr/lib/iceweasel/plugins sudo ln -s /usr/lib/flashplugin-nonfree/libflashplayer.so /usr/lib/iceweasel/plugins/libflashplayer.so sudo apt-get install sun-java6-jre # when the blue screen happens, hit Tab and Enter (for OK), then left arrow # and Enter (for Yes) ln -s /usr/lib/jvm/java-6-sun/jre/plugin/i386/ns7/libjavaplugin_oji.so sudo update-alternatives --config java # type "3" and Enter sudo rm -r /usr/lib/jvm/java-gcj sudo rm -r /usr/bin/gij-4.3 sudo pico /etc/apt/sources.list sudo pico /etc/sysctl.conf # add "vm.overcommit_memory=2" (aka strict) and "vm.swappiness=40" (less # likely to use swap than default 60), Ctrl "x", "y", Enter (note: "sudo # cat /proc/sys/vm/swappiness" or "sudo cat /proc/sys/vm/overcommit_memory" sudo apt-get update sudo apt-get upgrade eject /dev/cdrom history -c && rm -f ~/.bash_history sudo shutdown now -r ######################################## # LOCAL ACCOUNTS and SAMBA (i.e. for the Schwartz Lab): # note: for their external drive, the parted stuff only needs to be done once; # i.e. you don't need to create all the folders and files on that drive, just # /media/schwartzlab and edit /etc/fstab and mount -a (then on to adduser) ######################################## sudo apt-get install samba sudo parted /dev/sdc # then type and enter: "mklabel", "yes", "gpt", and "quit" sudo shutdown now -r sudo parted /dev/sdc # then type and enter: "mkpart primary 0 100% quit sudo mkfs.ext3 /dev/sdc1 # and wait, like a day (i.e. takes a LONG time) sudo mkdir /media/schwartzlab sudo pico /etc/fstab # add "/dev/sdc1 /media/schwartzlab ext3 defaults 0 0", # and if you want to make sure "/dev/sdc", run "sudo fdisk -l" first, then # Ctrl "x", "y", Enter sudo mount -a sudo adduser motorlab # then type in password twice, "Schwartz Lab", then just Enter for blank # room num, work phone, home phone, other, and default "Y" for info correct sudo adduser abs21 # like above, but "Andy Schwartz"... # note: after creating those local usernames the *first* time (only), ran # "sudo mv /home/motorlab /media/schwartzlab/" and "sudo mv /home/abs21 # /media/schwartzlab/"; but by now, those folders are populated; so, when # clean slating, wouldn't want to replace with blank; i.e. just run # "sudo rm -r /home/motorlab" and "sudo rm -r /home/abs21" instead sudo ln -s /media/schwartzlab/motorlab/ motorlab sudo ln -s /media/schwartzlab/abs21/ abs21 sudo pico /etc/samba/smb.conf # add to the bottom "[schwartzlab$]", " path = /media/schwartzlab", # " valid users = motorlab,abs21", and " readonly = no", Ctrl "x", "y", Enter sudo /etc/init.d/samba restart sudo chmod 750 /home/* # i.e. remove the ability for anyone to read anyone else's home folder sudo usermod -aG motorlab abs21 # i.e. so that abs21 can read motorlab's home folder # note: you may also need to change ownership if the uid changed; i.e. if you # run "ls -la /media/schwartzlab" and see numbers listed (e.g. 1001) or the # wrong username (i.e. you created abs21 before motorlab), run "sudo chown # motorlab:motorlab /media/schwartzlab/motorlab" and "sudo chown abs21:abs21 # /media/schwartzlab/abs21" sudo smbpasswd motorlab sudo smbpasswd abs21 #sudo mkdir -p /usr/local/samba/private #sudo cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd #sudo chmod 500 /usr/local/samba/private #sudo chmod 600 /usr/local/samba/private/smbpasswd ######################################## # BACKUP AND RESTORE: # note: /dev/st0 is "rewind after" and /dev/nst0 is "no or don't rewind", # and both already have their group set to "tape" (i.e. no need to "sudo # groupadd tape" and "sudo chgrp tape /dev/st0" or even ("sudo chmod 660 # /dev/st0"); and NOTE: Do NOT run a tensioning pass on a Digital Data # Storage (DDS) device, not that we have Linux on those (e.g. DC1 and DC2) # note: to backup remotely (i.e. from another machine, run this command): # tar -cvf - . | ssh db1.neurobio.pitt.edu dd of=/dev/st0 bs=2048 # and restore: # ssh db1.neurobio.pitt.edu | tar -xvf /dev/st0 ######################################## sudo apt-get install rsync sudo usermod -a -G tape username ####### # BACKUP ####### pico /data/Backup/CNUPbackupSQL.sh # then type the following: #!/bin/bash mysqldump cnup > /data/Backup/cnup`date +%a%m%d%y`.sql wait ls -t -1 /data/Backup/cnup*.sql | tail --lines 1 | xargs rm exit # and then Ctrl and "x", "y", and Enter chmod 775 /data/Backup/CNUPbackupSQL.sh pico /data/Backup/TapeBackup.sh # and type the following: #!/bin/bash if [ mt -f /dev/st0 status ] then logger -t Tape Backup STARTED tar cvf /dev/st0 /data/Backup wait logger -t Tape Backup FINISHED else logger -t Tape Backup FAILED fi exit # then hold Ctrl and "x", then just "y", and Enter chmod 775 /data/Backup/TapeBackup.sh pico /data/Backup/crontab # then add the following: 33 03 1,8,15,22,29 * * root /data/Backup/CNUPbackupSQL.sh 44 04 1 * * root /data/Backup/TapeBackup.sh # then Ctrl and "x", "y", and Enter crontab /data/Backup/crontab # note: running CNUPbackupSQL.sh at 3:33am on the 1st, 8th, 15th, 22nd, # and 29th days of every month (any day of the week it may be) as yourself; # and, running the TapeBackup.sh at 4:44am and only on the 1st day of any # month (on any day of the week it may be) and as yourself ####### # RESTORE ####### # list files on a tape: tar -tvf /dev/st0 # restore a specific file: tar -xvf /dev/st0 /path/filename.ext # restore all files from the tape in the drive: tar -xvf /dev/st0 ####### # TAPE MAINTENANCE ####### # erase the tape in the drive (will take a *long* time!): mt -f /dev/st0 erase # retension a tape (i.e. maintenance on a well-used tape): mt -f /dev/st0 retension ######################################## # NIC TEAMING (i.e. so as to get 200Mbps): ######################################## sudo apt-get install ifenslave sudo pico /etc/modprobe.d/arch/i386 # add "alias bond0 bonding" and " options bond0 mode=0 miimon=100" # Ctrl and "x" to exit, "y" to save, and Enter to keep same name sudo pico /etc/network/interfaces # add the following (but no pound signs!): # auto eth0 # iface eth0 inet manual # auto eth1 # iface eth1 inet manual # auto bond0 # iface bond0 inet static # bond_mode 4 # bond_miimon 100 # bond_downdelay 200 # bond_updelay 200 # slaves eth0 eth1 # address 130.49.237.47 # netmask 255.255.255.224 # gateway 130.49.237.33 # comment out the original primary network interface (i.e. add "#" in front # of "allow-hotplug eth0" and "iface eth0 inet dhcp"), Ctrl x, y, Enter sudo pico /etc/resolv.conf # note that "nameserver 136.142.57.10" and others are listed (as we started # with dhcp, which populated this file), Ctrl and "x", "y", and Enter # also note: if you have trouble with resolving names (i.e. www.pitt.edu # doesn't work but http://130.49.228.207 does, you can also add a line to # /etc/network/interfaces: "dns-nameservers 136.142.57.10 136.142.188.73" sudo pico /etc/modprobe.d/aliases # add "alias net-pf-10 off" and "alias ipv6 off", Ctrl x, y. Enter sudo /etc/init.d/networking restart sudo ifconfig # note that "bond0" has the correct IP address information and is "MASTER" # and that "eth0" and "eth1" are both "SLAVE" sudo mii-tool # note that both eth0 and eth1 are "100baseTx-FD"; had to deal with the # NOC here at Pitt to get the right router settings (i.e. both ports had # to be set to allow dynamic link aggregation, aka enable "802.3ad" mode) ######################################## # MISC: ######################################## ####### # NOTEWORTHY ####### # rebooting halted on mounting the swap file (but starting up from hard # boot was fine), so ran the following to sort or reset the swap partition # (and note: "sudo blkid" before and after the commands below showed that # /dev/sda2 didn't have a UUID before, but did afterwards): sudo swapoff -a sudo dd if=/dev/urandom of=/dev/sda2 sudo mkswap /dev/sda2 sudo swapon -a # but didn't help; so, tried "sudo update-initramfs -u" (to rebuild # /boot/initrd.img-2.6.26-2-686), but that didn't help; so, "sudo apt-get # remove uswsusp", then "sudo apt-get autoremove"; i.e. uninstalled the # userspace suspend package and then a hard boot (shutdown/power off, then # back on). Listing this way, because you may have to do the same. ####### # SOFTWARE RAID: # vs currently used hardware raid ####### # Note: If going to new hardware that doesn't have hardware RAID... # ...Why bother paying big bucks for a server, just buy a nice workstation # i.e. as cheap a multi-core 64-bit with lots of RAM computer you can find # and if it doesn't have hardware RAID, just setup the first drive (which # should be /dev/sda), and then once done setting everything up, we will # mirror the partition tables from /dev/sda to /dev/sdb (which should be # the second drive--run "sudo fdisk -l" what drives are what), then setup # raid without /dev/sda (i.e. "missing"), manipulate the grub and # dependent files, reboot (and cross your fingers!), then add the original # disk to the RAID array set. # NOTE: perhaps put in a usb stick and "sudo mkdir /mnt/usbstick" then # "sudo mount -t vfat /dev/sdc1 /mnt/usbstick", and then "sudo sfdisk # /dev/sda -O /mnt/usbstick/sectors" (note: "o" not zero) before running # the sfdisk disk and likewise run "sudo sfdisk -d /dev/sda > # /mnt/usbstick/partitions" for the partitions (not just sectors that # would-be replaced) and then if botched raid setup, boot to a live cd # (like knoppix) and get into the terminal and run "su", "mkdir /mnt/usb", # "mount -t vfat /dev/sdc1 /mnt/usb", "sfdisk /dev/sda -I # /mnt/usb/sectors", "sfdisk /dev/sda < /dev/sdc/partitions", and reboot sudo apt-get install mdadm sudo shutdown now -r sudo sfdisk -d /dev/sda | sudo sfdisk /dev/sdb sudo fdisk /dev/sdb # then at the "Command (m for help):" prompt, type "t" (for change # partition Table) and Enter, then "1" and Enter at the "Partition number # (1-4):" prompt, then "fd" and Enter at the "Hex code (type L to list # codes):" prompt (for "Linux raid auto"). Then repeat, but "t", "2", and # "fd" (i.e. as we have two partitions: root (or /dev/sda1) and swap (or # /dev/sda2); and finally, type "w" and Enter at the "Command (m for # help):" propmt (to write table to disk and exit). sudo shutdown now -r # note: if rebuilding a software array, run the following two lines: # sudo mdadm --zero-superblock /dev/sdb1 # sudo mdadm --zero-superblock /dev/sdb2 sudo mdadm --create /dev/md0 --level=1 --raid-disks=2 missing /dev/sdb1 sudo mdadm --create /dev/md1 --level=1 --raid-disks=2 missing /dev/sdb2 sudo mkfs.ext3 /dev/md0 sudo mkswap /dev/md1 sudo cp /etc/mdadm/mdadm.conf /etc/mdadm/mdadm.conf.old sudo mdadm --examine --scan >> /etc/mdadm/mdadm.conf sudo mkdir /mnt/md0 # note: no need to mount the swap sudo mount /dev/md0 /mnt/md0 sudo pico /etc/fstab # replace "/dev/sda1" with "/dev/md0" and replace "/dev/sda2" with # "/dev/md1", Ctrl "x", "y", Enter sudo pico /etc/mtab # replace "/dev/sda1" with "/dev/md0", Ctrl "x", "y", Enter sudo pico /boot/grub/menu.lst # add a new line "fallback 1" after "default 0", then scroll to the # bottom and while on the *first* "title" line (where the next three lines # start with "root", "kernel", and "initrd"), hold Ctrl and type "k" five # times, then Ctrl "u" twice (to copy that first kernel listing), then edit # the first set of lines (i.e. so that the original set of lines we copied # will be preserved as the second set or "fallback 1"): replace "(hd0,0)" # with "(hd1,0)" in the "root" line and replace "/dev/sda1" with "/dev/md0" # in the "kernel" line, and then add "(hd1)" to the title of the first # entry and "(hd0)" to the second entry's title, Ctrl "x", "y", Enter sudo cp -dpRx /boot/. /mnt/md0 sudo grub # type "setup (hd1)" and Enter at the "grub>" prompt, then "quit" sudo shutdown now -r sudo fdisk /dev/sda # then type "t" and Enter, "1" and Enter, "fd" and Enter, then "t", "2", # and "fd"; and finally, type "w" and Enter. sudo shutdown now -r sudo mdadm --add /dev/md0 /dev/sda1 sudo mdadm --add /dev/md1 /dev/sda2 sudo cat /proc/mdstat # and when it's done building (i.e. "UU" and not "_U" for the two drives): mdadm --examine --scan >> /etc/mdadm/mdadm.conf sudo pico /boot/grub/menu.lst # find the line "kopt=root=/dev/sda1 ro" and replace "sda1" with "md0" (but # don't remove the "#" at the beginning of the line), then scroll down to # the bottom and comment out (i.e. add "#" to the beginning of the line) # the original two entries, then copy the top/new entry and paste it but # make one "root" have "(hd1,0)" and add "RAID" to the "title" and the # other "root" be "(hd0,0)" and add "RAID" to the "title"m, and both # entries' "kernel" contain "/dev/md0", then Ctrl "x", "y", Enter sudo shutdown now -r ####### # ACTIVE DIRECTORY: # Consider joining the Active Directory (I did not), and allow users to # connect with their domain usernames (neurobiology or upitt-users), as # opposed to managing locally; and of course, certainly chroot them; i.e. # restrict them to only their home directories # http://samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html ####### # Note: I would flush the existing iptables rules with "sudo iptables -F" # and then insert the following above the logging and dropping rule and # copy and paste all the rules into an ssh terminal, and then log in as # root and "iptables-save > /etc/iptables"): sudo iptables -A INPUT -p udp -s 130.49.0.0/16 -m multiport --sports 88,389 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.0.0/16 -m multiport --sports 88,389 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.0.0/16 -m multiport --sports 88,389 -j ACCEPT sudo iptables -A INPUT -p tcp -s 136.142.0.0/16 -m multiport --sports 88,389 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.8.15 --sport 750 -j ACCEPT sudo iptables -A INPUT -p udp -s 136.142.8.20 --sport 750 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.237.7 -m multiport --sport 135,636 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.237.8 -m multiport --sport 135,636 -j ACCEPT sudo iptables -A INPUT -p udp -s 130.49.237.8 --sport 123 -j ACCEPT sudo iptables -A INPUT -p udp -s 130.49.237.7 --sport 123 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.237.7 --dport 139 -j ACCEPT sudo iptables -A INPUT -p tcp -s 130.49.237.8 --dport 139 -j ACCEPT sudo apt-get install krb5-user ntpdate winbind # also need samba, but already using that for Andy to connect to his # /media/schwartzlab via his Windows machine # Debian CDROM needed (for ntpdate), and when prompted for Kerberos server # hostname(s), type "dc1.neurobio.pitt.edu dc2.neurobio.pitt.edu", and then # just "dc1.neurobio.pitt.edu" and Enter for the administrative server(s) sudo eject /dev/cdrom sudo /etc/init.d/samba stop sudo /etc/init.d/winbind stop sudo ntpdate dc1.neurobio.pitt.edu sudo pico /etc/default/ntpdate # comment the line that begins with "NTPSERVERS="; i.e. put a "#" sign at # the beginning of the line, Ctrl "x", "y", and Enter sudo pico /etc/ntp.conf # add "dc1.neurobio.pitt.edu", Ctrl "x", "y", and Enter sudo pico /etc/krb5.conf # at the top edit "default_realm = NEUROBIO.NT.PITT.EDU" (i.e. add ".NT") # and also edit the first line in the [realms] section the same way (i.e. # add ".NT" after "NEUROBIO"), then add the following (after the ending # curly bracket or "}" in the NEUROBIO realm: # UPITT-USERS.NT.PITT.EDU = { # kdc = krb1.srv.cis.pitt.edu:750 # kdc = krb2.srv.cis.pitt.edu:750 # default_domain = pitt.edu # string_to_key_type = afs_string_to_key # } # Then under the "[domain_realm]" section, add " .pitt.edu = PITT.EDU", # Ctrl and "x" to exit, "y" to save, and Enter to keep same name sudo pico /etc/samba/smb.conf # add the following (right under "[global]"; i.e. Ctrl and "w", then type # the keyword you are searching for (e.g. global), then Enter, which will # take you to that area of the text file): # realm = NEUROBIO.NT.PITT.EDU # #winbind use default domain = yes # winbind separator = + # winbind cache time = 40 # template homedir = /home/%D/%U # netbios name = DB1 # then in the "Authentication" section (don't forget Ctrl "w" trick), # uncomment "security = " (i.e. remove the leading "#") and replace "user" # with "ads", then in the "Misc" section and uncomment (i.e. this time, # remove the ";" which is also a comment like "#") the following: # idmap uid = 10000-40000 # idmap gid = 10000-40000 # template shell = /bin/bash # winbind enum groups = yes # winbind enum users = yes # note: make the "2" to "4" change in idmap lines; then, in the "[homes]" # section, change "read only = " to "yes" (default is "no), Ctrl x, y, Enter sudo pico /etc/nsswitch.conf # replace "compat" with "files winbind" next to both "passwd:" and # "group:", Crtl and "x", "y", and Enter sudo cp /etc/pam.d /etc/pam.d.old sudo pico /etc/pam.d/common-account # add "account sufficient pam_winbind.so" *above* the existing line (i.e. # domain/winbind login would be more common than local/unix, so try that # method first), then add " use_first_pass" to the end of the original line # (or non-top line), Ctrl and "x", "y", Enter sudo pico /etc/pam.d/common-auth # to the top, add "auth sufficient pam_winbind.so # require_membership_of=NEUROBIOLOGY" and "auth sufficient pam_winbind.so # require_membership_of=UPITT-USERS", then add " use_first_pass" to the end # of the original line (or non-top line), Ctrl and "x", "y", Enter sudo pico /etc/pam.d/common-password # above the first uncommented line, add "auth sufficient pam_winbind.so", # then add " use_first_pass" to the end of the original line (or non-top line) sudo pico /etc/pam.d/common-session # add "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" below # the existing line, and Ctrl "x", "y", Enter sudo shutdown now -r sudo net ads join -U hunter3 # ignore the "DNS update failed!" errors (i.e. no DNS on the domain # controller); and note: "sudo net ads leave -U hunter3" and "sudo cp # /etc/pam.d.old /etc/pam.d" to undo. sudo mkdir /home/NEUROBIOLOGY sudo chgrp NEUROBIOLOGY+domain\ users /home/NEUROBIOLOGY sudo mkdir /home/UPITT-USERS sudo chgrp UPITT-USERS+domain\ users /home/UPITT-USERS # and probably best to restrict everyone: sudo apt-get install libpam-chroot # note: /usr/share/doc/libpam-chroot has examples and readme sudo pico /etc/pam.d/common-session # add "session required pam_chroot.so" (to the bottom), Ctrl x, y, Enter sudo pico /etc/security/chroot.conf # add "UPITT-USERS+* /home/chroot" and "NEUROBIOLOGY+* /home/chroot" sudo mkdir -p /home/chroot/{bin,dev/pts,home,lib,proc} sudo mount -obind /bin/ /home/chroot/bin/ sudo mount -obind /dev/ /home/chroot/dev/ sudo mount -obind /dev/pts /home/chroot/dev/pts sudo mv /home/motorlab /home/chroot/home/ sudo mount -obind /lib/ /home/chroot/lib/ sudo mount -obind /proc/ /home/chroot/proc/ # Bind mount will work inside chroot (unlike symbolic links); and, continues to # work when you update main OS; i.e. as opposed to having to re-copy updated # /bin and /lib files. Also, to unmount any of the above, run "sudo umount # /home/chroot/folder" (note: "mount" to list them) sudo mv /home/NEUROBIOLOGY /home/chroot/ sudo mv /home/UPITT-USERS /home/chroot/ ####### # or you can manually copy a minimal set of stuff (instead of bind mounting # the /bin, /dev, /lib, and /proc: ####### sudo cp /bin/bash /home/chroot/bin/ sudo cp -a /bin/sh /home/chroot/bin/ sudo cp /bin/ls /home/chroot/bin/ sudo cp -a /lib/{libncurses.so.5,libdl.so.2,libc.so.6,ld-linux.so.2} /home/chroot/lib/ sudo cp /lib/{libncurses.so.5.7,libdl-2.7.so,libc-2.7.so,ld-2.7.so} /home/chroot/lib/ sudo cp -a /lib/{librt.so.1,libacl.so.1,libpthread.so.0,libattr.so.1} /home/chrootb/lib/ sudo cp /lib/{librt-2.7.so,libacl.so.1.1.0,libselinux.so.1,libpthread-2.7.so,libattr.so.1.1.0} /home/chroot/lib/ sudo mknod -m 660 /home/chroot/dev/zero c 1 5 sudo mknod -m 660 /home/chroot/dev/null c 1 3 # and we need some extra stuff to make ssh and sftp login work (not just # console): sudo mkdir /home/chroot/dev/pts sudo mkdir /home/chroot/proc sudo pico /etc/fstab # add "none /home/chroot/dev/pts devpts defaults 0 0" and # "proc /home/chroot/proc proc defaults 0 0", Ctrl "x", "y", Enter sudo mount -a sudo mknod -m 666 /home/chroot/dev/ptmx c 5 2 # and if one wanted to add more /bin/commands, copy them over too, and # to know which libraries to copy, run "ldd /bin/command", and to know # what numbers to use (or whether a link), run "ls -la" # Also (if manually adding), not sure if the following is needed (for ssh/sftp): sudo mknod -m 666 /media/schwartzlab/dev/tty c 5 0 sudo mknod -m 666 /media/schwartzlab/dev/urandom c 1 9 sudo mkdir -p /media/schwartzlab/usr/lib/openssh sudo cp /usr/lib/openssh/sftp-server /media/schwartzlab/usr/lib/openssh ####### # or just chroot sftp (since openssh has "chrootdirectory" and "forcecommand"): ####### sudo pico /etc/ssh/sshd_config # towards the bottom, replace "Subsystem sftp /usr/lib/openssh/sftp-server" # with "subsystem sftp internal-sftp"; also, add the following (to the very # bottom): # match group chroot # chrootdirectory d%/%u # x11forwarding no # allowtcpforwarding no # forcecommand internal-sftp sudo /etc/init.d/ssh restart sudo groupadd chroot sudo usermod -aG chroot -d /home/chroot/home/ NEUROBIOLOGY+* sudo usermod -aG chroot -d /home/chroot/home/ UPITT-USERS+* sudo chown root.root /home/chroot/home/NEUROBIOLOGY/* sudo chown root.root /home/chroot/home/UPITT-USERS/* # note: "sudo usermod -G motorlab -d /media/schwartzlab/motorlab motorlab" # to undo the chroot and don't worry about ownership of the home directory ####### Forgot the root password?: When the machine starts up, make sure you hit an arrow key in that 3 second moment when you get an option on booting to single-user mode (blue rectangle after all the BIOS POSTing is done), then type "c" to get a prompt: grub> boot: Linux init=/bin/sh init-2.03# mount -n -o remount,rw / init-2.03# mount -avt nonfs,noproc,nosmbfs init-2.03# pico /etc/passwd clear out the second data field for root (i.e. remove the "x") hold Ctrl and type "x", then type "y" (to save) and Enter (to keep same name) init-2.03# pico /etc/shadow clear out the second data field for root (i.e. remove the jibberish after "root:") hold Ctrl and type "x", then type "y" (to save) and Enter (to keep same name)