Installing a Server from scratch

From ProgSoc Wiki

Jump to: navigation, search

Contents

CHAPTER 1 - DEBIAN TESTING / UBUNTU ON SUCCUBUS

Written using the 18/8/04

Debian netinst CD

  • insert CD
  • turn on machine
  • type "boot cdrom" at prompt
  • type "linux rootfstype=ext2" at SILO prompt
  • select English as language and Australia as region
  • DO NOT select a keymap, this completely breaks the keyboard support
  • instead select "go back" to go back to the installer menu (use tab to select go back)
  • skip ahead to mounting the CDROM, this should work fine
  • after it fails DHCP networking, configure the network manually, settings are:
 IP 138.25.6.X (where X is the number to be used for that machine)
 Netmask 255.255.255.0
 Gateway 138.25.6.254
 Nameserver 138.25.6.2

And give it a nice really cool name when it asks, the domain it is under is progsoc.uts.edu.au Next is the partitioner, while there's a lot of ways to do it, one good setup would be:

 300MB /boot (set option ro so it is read only)
 9GB /
 4GB /var
 2GB swap

this gives far more than enough room for all needed files, and a huge amount of log space on a seperate partition, just in case something goes catastrophically wrong and your log files grew too large, so it won't fill the root partition, and a ludicrous swap space so you never run out of virtual memory. For the filesystems on each, while any should work, ext3 is probably the safest bet. Once that's done, just let it continue and it'll install the base system for you, which may take a while, go drink a well earned coke from the fridge (if anyone has bothered to keep it stocked) Remove the CD when it wants and let it reboot now type "boot disk0" at the prompt, then just hit enter at the SILO propt there's no point in adding an extra user, so just go to "cancel" then select the next option in the install list for the apt-get source, select ftp and choose two Australian mirrors, the official au.debian.org one and the aarnet one are two good choices also, when prompted, say yes, you do want security updates there is no http proxy, so leave it blank when it asks what you want to install, that depends what the machine is for, but ideally you will want at the least mail server support, and ideally web and sql support too, plus if the machine supports a gui like the sunblades do, then desktop environment support too Now go get another drink, because while it installs all those packages you're going to have a lot of time on your hands you'll be asked a few questions by debconf, the defaults are fine for all of them. For the screen, select "medium" level configuration, and select 1024x768@75hz don't bother setting up the MTA now, we can do it later Horray, debian-installer has finished!

At this point in time, you'll want to set a root password as Ubuntu has the root account turned off by default:

 sudo passwd root

You'll probably want is ssh installed, so run "apt-get install ssh". If this segfaults, clear any .bin files in the /var/cache/apt directory, then do it again For various reasons it's probably best to not let it activate ssh v2 (I activated it my first try and it really messed up remote authentication later on), also let it SUID the program it wants to and tell it to run the sshd server Now ssh should work, but until we have users configured, that's not much use. At this stage, it might also be a good idea to set up the DNS entry for the new machine on orgo, though that's for another HOWTO.

Ubuntu doesn't have all the packages we need by default, so modify your sources list to match the following (change "dapper" to whatever version of ubuntu you installed). Open up /etc/apt/sources.list and change it to the following:

 deb http://au.archive.ubuntu.com/ubuntu/ dapper main restricted universe multiverse
 deb-src http://au.archive.ubuntu.com/ubuntu/ dapper main restricted
 
 deb http://au.archive.ubuntu.com/ubuntu/ dapper-updates main restricted universe multiverse
 deb-src http://au.archive.ubuntu.com/ubuntu/ dapper-updates main restricted universe multiverse
 
 deb http://au.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
 deb-src http://au.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
 
 deb http://security.ubuntu.com/ubuntu dapper-security main restricted universe multiverse
 deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted universe multiverse

Update and upgrade by running:

 apt-get update
 apt-get upgrade

Now you can install all the libraries needed for automounting mail, home directories, and getting user logins by running

 apt-get install am-utils libnss-ldap libpam-ldap

Confirm the default domain is ".progsoc.uts.edu.au" then for the automounter prompts the map is not propagated via NIS, we do want the net map, and we do not want the passwd map The ldap server is orgo, so use its IP of 138.25.6.2 when prompted, the search base is "dc=progsoc,dc=org", use ldap version 3, no ldap login is required. There is no need to restrict reading of the libnss-ldap config file.

For libpam-ldap, there is no need to make the local root database owner, and here is no need to log into the database for anything, so answer no when asked, and tell it to use crypt for when changing passwords.

Go into /etc/pam.d and for each of the "common-*" files, open them and add a line to them at the top of the non-commented lines, the same as the line already present but with "sufficient" instead of "required" and "pam_ldap.so" instead of "pam_unix.so". The one exception is common-auth, where you also need to replace "nullok-secure" in the file with "try_first_pass", otherwise nothing should appear in any of the files after the .so file names Then edit /etc/nsswitch.conf and change the "passwd" and "group" lines, replacing "compat" with "files ldap"


To configure home directories, firstly copy the following into "progsoc.home" in /etc/am-utils (you could just copy this from another working machine):

 /default        type:=nfs;opts:=nosuid,intr,rw;
 
 #httpd          type:=nfsl;fs:=/old.root/abode/httpd
 #www            type:=nfsl;fs:=/old.root/abode/httpd
 #*              type:=nfsl;fs:=/old.root/cats/${key}
 
 # the above should work but it doesn't, this does though
 
 httpd           -rhost:=orgo;rfs:=/phatdisk/httpd; \
                 host!=${rhost};type:=nfs \
                 host:=${rhost};type:=link
  
 www             -rhost:=orgo;rfs:=/phatdisk/httpd; \
                 host!=${rhost};type:=nfs \
                 host:=${rhost};type:=link
 
 projects        -rhost:=orgo;rfs:=/phatdisk/projects; \
                 host!=${rhost};type:=nfs \
                 host:=${rhost};type:=link
 
 *               -rhost:=orgo;rfs:=/phatdisk/home;sublink:=${key} \
                 host!=${rhost};type:=nfs \
                 host:=${rhost};type:=link

Then edit /etc/default/am-utils, find the AM_UTILS_MAP_OTHERS line and set it contents to "/home /etc/am-utils/progsoc.home" It is possible you may have to log onto orgo and edit /etc/exports, by adding a line identical to those there with the hostname of the new server so that it is permitted to access the home directories, but most likely this will not be needed Create a symbolic link from /var/mail pointing at /net/orgo/phatdisk/mail/, and a link from /org to /net/orgo/phatdisk/org

After this, install sudo (sudo is already installed by default on Ubuntu (dapper), hence you can skip this step if installing Ubuntu).

 apt-get install sudo

for further setup and so that other admins can work on the machine.

While it's perfectly alright to make a sudoers file from scratch, it'd be best to just copy the /etc/sudoers from an existing machine, since basically everyone in the existing files should be trustworthy enough, and it's also simply easier.

Make sure you have at least the basic compilation tools if they're not already installed by running

 sudo apt-get install make gcc libc6-dev automake libtool gcc-doc glibc-doc autocon

since we are still a programmer's society after all.

To make sure everyone's shell is present so they can log in:

 apt-get zsh ash csh tcsh

Then go into /usr/local/bin and make symbolic links to each of these shells and to bash there, pointing at the binaries in the /bin directory. This is because many people's login entries have their shells listed as being in /usr/local/bin.

Just to make sure all admin mail goes to the right person, add a line in the /etc/aliases file saying "root:cso" to make sure admin mail goes to the CSO.

Setting up CVS:

 apt-get cvs

Your answers to the questions don't matter since we use our own configuration. Then edit /etc/inetd.conf by adding a line down the bottom saying

 1001 stream tcp nowait root /usr/bin/cvs cvs -f --allow-root=/home/rhoward/cvs/sdp27 --allow-root=/home/rhoward/cvs/sdp27/ pserver

This will run the cvs server on port 1001 (gets around some of progsoc's firewall restrictions), though it only allows access to the cvs repository in /home/rhoward/cvs/sdp27, using the password info stored in that repository (since that's the only project being done in cvs on our servers), any additional repositories must be added manually in the same way Also, comment out the existing cvspserver line in inetd.conf

SETTING UP MAIL:

 apt-get install exim4-daemon-heavy sa-exim spamc spamassassin mhonarc greylistd clamav clamav-daemon

While this can be configured from scratch, it's really really unlikely you'd ever need to do this just when setting up a new machine, instead just copy over the config file from an existing machine, and be sure to make a symbolic link in /org/progsoc.org/etc pointing to the correct majordomo binary, using the same name format as all the other links in that directory. Also, be sure to edit /etc/default/spamassassin, setting spamassassin to enabled, or else it won't actually scan mail.

It is VITAL that you modify /etc/mailname and change it to contain the value 'progsoc.uts.edu.au' otherwise email WILL NOT WORK.

Also, because mail spools are stored over NFS, in order to avoid locking problems you need to '$ apt-get nfs-common'

Now, finally, make sure the machine has internet access on port 25, or else there's big trouble. Do this by running

 '$ telnet and trying to "open mail.iinet.net.au 25"'

in order to add majordomo's group and user to the new machine, run the following:

 '$ groupadd -g 31 majordom'
 '$useradd -s /bin/sh -d /org/progsoc.org/majordomo -g 31 -u 30 majordom'

then update exim's configuration by running '$ update-exim4.conf'

greylistd will ask a number of questions during installation: Inital delay imposed on first-time senders (in seconds): 300 Expiration period for first-time delivery retried (in seconds): 28800 Expiration period for whielisted items (in seconds): 5184000 Do you want to retain original greylist triplets? yes Who should be the owner of the greylistd process and socket? Debian-exim:Debian-exim Do you want me to automatically configure Exim 4 for greylistd? yes Apply 24-bit netmask to sender host address

Then ('$ sudo mv /etc/greylistd/whitelist-hosts /etc/greylistd/whitelist-hosts.old') to move aside the old whitelist-hosts file. Change into the greylisting directory ('$ cd /etc/greylistd') and link to the common Progsoc whitelist. ('$ sudo ln -s /org/progsoc.org/etc/whitelist-hosts').

In order for ClamAV to work you must do '$ sudo adduser clamav Debian-exim' and then restart both exim ('$ sudo /etc/init.d/exim4 restart') and clamav-daemon ('$sudo /etc/init.d/clamav-daemon')

Setting up web:

Other things to setup

Other apps you really should apt-get:

  • less, ftp (near essential command line tools), lftp
  • libncurses5-dev (to use so pine can be compiled, something you or someone else can do)
  • screen (lots of users like to use it)
  • finger, talk & talkd (finding and harassing other users)
  • traceroute, iproute (general internet stuff)
  • gdm (for setting up X later)
  • nscd (Name Service Cache Daemon, helps speed up resolving user names)
  • logcheck (to produce system check emails)

Random junk you may as well add:

  • epic4, irssi-text, irssi-scripts (IRC clients)
  • nethack, nethack-console (if you need to know why, what kind of Progsoc member are you?)
  • bsdgames (hey, I want to hunt the wumpus!)
  • emacs21

CHAPTER 2 - SETTING UP TROOOOOOOOOOGDOOOOOOOOOOORRR!!!!!

To install stuff on trogdor, you have to connect to it over the serial port, this is done by running minicom on geryon, which is connected to trogdor

at Trogdor's firmware prompt "boot cdrom" then at silo prompt use "Linux cdrom devfs=mount rw ramdisk_size=8192 rootfstype=ext2", default prompt will crash hard most times set language & country, I'm sure you can figure it out use eth0 for network connection DHCP will fail, set up network manually IP 138.25.6.3 Netmask 255.255.255.0 Gateway 138.25.6.254 DNS 138.25.6.2 hostname trogdor domain progsoc.uts.edu.au

Do manual partitioning, that's up to you. Ideally make a set of LVM partitions for use to store backups (if they don't already exist), but for various reasons this may not work. At the least set up the system partitions, and let the automated install run

Just follow the prompts, there is no need to specify a keymap or create a non-priviliged user. You will need to add other apt sources, generally the best is to add ftp://mirror.aarnet.edu.au, and ideally one other mirror, also answer yes to adding the security update mirror. When it comes to adding additional packages, probably best to do it manually later, since the automated process seems to screw up. Personally I'd suggest also adding ftp.debian.org to /etc/apt/sources.list later, since it seems to be the most up to date mirror of all.

The remaining setup can basically be done the same as with the previous howto, just manually apt-getting certain packages, rather than having them installed automatically.

To set up VNC, install vnc4server, tightvnc does not seem to work right. Also you will need a desktop manager, probably gdm is best, and a few window managers, whatever you want. Activate XDMCP in your desktop manager's config file, and tell it to allow indirect connections. Then, set a port in /etc/services with a name like "vnc800", and possibly others such as "vnc640" or "vnc1024" for other desktop sizes, probably use a port about 5950 or so. Then in /etc/inetd.conf add a line saying vnc800 stream tcp nowait nobody /usr/bin/Xvnc Xvnc -inetd -query localhost -localhost -once -depth 16 -geometry 800x600 -securitytypes=none

Then, restart inetd, and anyone should be able to connect to the VNC server as long as they use a tunnelled SSH connection, something most clients should allow.

CHAPTER 3 - SETTING UP WEB AND MYSQL ON INCUBUS

Note: written after the fact due to the incredible amount of messing required to get these things to work in the first place

Personal tools