Linux Administration & Maintenance: Difference between revisions

From Research
Jump to navigation Jump to search
Hha13 (talk | contribs)
 
(51 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Gentoo==
==Gentoo==
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br>
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br>
  GENTOO_MIRRORS="http://mirror.iat.sfu.ca/gentoo/"
  GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br>
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br>
Robin: "For best performance, I recommend mounting
Robin: "For best performance, I recommend mounting
Line 10: Line 10:


===LDAP Authentication, and Home-Directory AutoMounting===
===LDAP Authentication, and Home-Directory AutoMounting===
First, make sure you have the necessary packages on your system:
First, make sure you have the necessary packages on your system '''(NOTE:  enable LDAP USE-FLAG where it appears, like autofs)''':
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs'''


There are five configuration files, and three directories which must be correct:
There are seven configuration files, and two directories which must be correct:


  /etc/ldap.conf
  /etc/ldap.conf
  /etc/nsswitch.conf
  /etc/nsswitch.conf
  /etc/autofs/auto.master
  /etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
  /etc/pam.d/system-auth
  /etc/pam.d/system-auth
  /bin/localshell
  /bin/localshell
  /home/users/
  /home/users/
  /home/projects/
  /home/projects/
/etc/localshell/
 


Create the necessary directories:
Create the necessary directories:
Line 29: Line 32:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /etc/localshell'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /etc/localshell'''


Copy over the /etc/localshell/* and /bin/localshell from a working machine.
Emerge localshell and copy over [[/etc/localshell.conf]] from a working machine.
 
Modify /etc/shells to include /bin/localshell as a valid shell, like this:
# /etc/shells: valid login shells
'''/bin/localshell'''
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh
 


Example /etc/ldap.conf, with commented-out portions omitted
Example /etc/ldap.conf, with commented-out portions omitted
Line 59: Line 77:
  nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
  nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
  nss_base_netgroup      ou=Netgroup,dc=iat,dc=sfu,dc=ca
  nss_base_netgroup      ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 1 # max sleep value to cap at
nss_reconnect_maxconntries 3 # how many tries before sleeping


<s>Create and populate /etc/ldap.secret from a working machine.</s>


Example nsswitch.conf:
Example /etc/nsswitch.conf:


  passwd:      compat ldap
  passwd:      compat ldap [UNAVAIL=return]
  shadow:      compat ldap
  shadow:      compat ldap [UNAVAIL=return]
  group:      compat ldap
  group:      compat ldap [UNAVAIL=return]
   
   
  # passwd:    db files nis
  # passwd:    db files nis
Line 94: Line 117:
Example /etc/pam.d/system-auth
Example /etc/pam.d/system-auth


auth       required    /lib/security/pam_env.so
  # Prompt user for pass, check against unix auth-method.
auth      sufficient   /lib/security/pam_unix.so likeauth nullok
   # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
auth      sufficient   /lib/security/pam_ldap.so use_first_pass
   # Certain users or services may have blank passwords; we'll allow these to succeed
  auth       required     /lib/security/pam_deny.so
  auth               required         pam_unix.so nullok
   
   
  account   required     /lib/security/pam_unix.so
  # Account verification, password expiration.
account    sufficient  /lib/security/pam_ldap.so
  # Also checks LDAP, if nsswitch.conf is configured.
  account           required         pam_unix.so
   
   
password  required    /lib/security/pam_cracklib.so retry=3
   # We don't allow changing of (logged-in user account) passwords directly on this machine
password   sufficient  /lib/security/pam_unix.so nullok md5 shadow use_authtok
   # Use tools on LDAP server instead
password   sufficient  /lib/security/pam_ldap.so use_authtok
  password           required         pam_deny.so
  password   required     /lib/security/pam_deny.so
   
   
session    required    /lib/security/pam_limits.so
  # Log username and service to /var/log/messages (audit trail)
  session   required     /lib/security/pam_unix.so
  session           required         pam_unix.so
session    required    /lib/security/pam_ldap.so
 
 
 
Example /etc/conf.d/autofs
 
TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"


===Rescuing a Gentoo System===
===Rescuing a Gentoo System===
There are two basic ways to consider:<br>
<li>  Boot from a CD
<li>  Build critical/resuce packages on another (working) machine, and then install them on the problematic box
</li>
====Rescue CD Method====
boot from a CD, typically
boot from a CD, typically
  boot: '''gentoo'''
  boot: '''gentoo'''
enable swap
enable swap ''(of course, '''your''' swap-partition may differ!  Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)''
  <font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2'''
mount the main (root) partition, optionally the boot partition
mount the main (root) partition, optionally the boot partition
Line 124: Line 164:
  <font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig'''  ''(verify we got an IP)''
  <font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig'''  ''(verify we got an IP)''
prepare for chrooting
prepare for chrooting
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /proc /mnt/gentoo/proc'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -t proc none /mnt/gentoo/proc'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev'''
<font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /sys /mnt/gentoo/sys'''
set up a new environment root
set up a new environment root
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo'''
Line 132: Line 171:
  <font color=red>livecd</font> <font color=blue>/ #</font> '''env-update'''
  <font color=red>livecd</font> <font color=blue>/ #</font> '''env-update'''
  <font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile'''
  <font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile'''
<font color=red>livecd</font> <font color=blue>/ #</font> '''export PS1="(chroot) $PS1"'''
Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):
<font color=red>livecd</font> <font color=blue>/ #</font> '''cp /proc/mounts /etc/mtab'''


Now, do your rescue work.  Good luck!
Now, do your rescue work.  Good luck!
Line 138: Line 180:
  <font color=red>livecd</font> <font color=blue>/ #</font> <font color=black>'''exit'''
  <font color=red>livecd</font> <font color=blue>/ #</font> <font color=black>'''exit'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo/sys /mnt/gentoo'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''reboot'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''reboot'''


==SUSE==
====Build Critical/Rescue files on Another Machine====
On-Campus, we can speed installation/updates by using a local source:<br>
This approach is commonly required when a machine is in such a state that it cannot compile successfully.  Often the broken culprits are '''coreutils''', '''binutils''', or '''gcc'''.  If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.<br>
nfs://export/mirror/suse<br>
HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.<br>
 
 
* TODO: Instructions for install with LDAP working
* TODO: Instructions for auto-update configuration
 
==RedHat/Fedora==
* TODO: Instructions for install with LDAP working
 
==Ubuntu==


Installation instructions.
On the build-host, as root:
<font color=red>buildhost</font> <font color=blue>root #</font> '''emerge -B ''<problem_packages>'''''  ''<you can, or course, test the build by using the -p/--pretend option:  emerge -pB>''
This builds a '''.tbz2''' tarball, with emerge information included, but does not install it onto the build-host system.  Typically this will be found on the buildhost under '''/usr/portage/packages/''<category>/<problem_package>'''''.  We must now copy this over to the targe machine (the one to be rescued):
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/All/'''
'''OR''' (depending on system specifics)
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/''<category>'''''
Now move over to the target machine (the one to be rescued):
<font color=red>target</font> <font color=blue>root #</font> '''emerge -K ''<problem_packages>'''''  ''<again, you can test the installation by invoking emerge -pK>''


*Enable restricted drivers.
*gksudo nvidia-settings
*sudo apt-get install ssh openssh-server
*sudo passwd root


==Linux Tips and Tools==
==Linux Tips and Tools==
[[Linux Tips and Tools]]
[[Linux Tips and Tools]]

Latest revision as of 19:37, 28 August 2015

Gentoo

On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:

GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"

An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation

LDAP Authentication, and Home-Directory AutoMounting

First, make sure you have the necessary packages on your system (NOTE: enable LDAP USE-FLAG where it appears, like autofs):

hostname ~ # emerge -v pam_ldap nss_ldap autofs

There are seven configuration files, and two directories which must be correct:

/etc/ldap.conf
/etc/nsswitch.conf
/etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
/etc/pam.d/system-auth
/bin/localshell
/home/users/
/home/projects/


Create the necessary directories:

hostname ~ # mkdir /home/users
hostname ~ # mkdir /home/projects
hostname ~ # mkdir /etc/localshell

Emerge localshell and copy over /etc/localshell.conf from a working machine.

Modify /etc/shells to include /bin/localshell as a valid shell, like this:

# /etc/shells: valid login shells
/bin/localshell
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh


Example /etc/ldap.conf, with commented-out portions omitted

# Your LDAP server. Must be resolvable without using LDAP.
host 209.87.56.238

# The distinguished name of the search base.
base dc=iat,dc=sfu,dc=ca

# The distinguished name to bind to the server with.
binddn cn=Reader,dc=iat,dc=sfu,dc=ca

# The credentials to bind with.
bindpw <supersecret!!>

# RFC2307bis naming contexts
nss_base_passwd         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_shadow         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_group          ou=Group,dc=iat,dc=sfu,dc=ca
nss_base_hosts          ou=Hosts,dc=iat,dc=sfu,dc=ca
nss_base_services       ou=Services,dc=iat,dc=sfu,dc=ca
nss_base_networks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_protocols      ou=Protocols,dc=iat,dc=sfu,dc=ca
nss_base_rpc            ou=Rpc,dc=iat,dc=sfu,dc=ca
nss_base_ethers         ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_netmasks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_bootparams     ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
nss_base_netgroup       ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1			# number of times to double the sleep time
nss_reconnect_sleeptime 1		# initial sleep value
nss_reconnect_maxsleeptime 1	# max sleep value to cap at
nss_reconnect_maxconntries 3	# how many tries before sleeping

Create and populate /etc/ldap.secret from a working machine.

Example /etc/nsswitch.conf:

passwd:      compat ldap [UNAVAIL=return]
shadow:      compat ldap [UNAVAIL=return]
group:       compat ldap [UNAVAIL=return]

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Example /etc/autofs/auto.master

/home/users     ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca
/home/projects  ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca


Example /etc/pam.d/system-auth

 # Prompt user for pass, check against unix auth-method.
 # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
 # Certain users or services may have blank passwords; we'll allow these to succeed
auth               required          pam_unix.so nullok

 # Account verification, password expiration.
 # Also checks LDAP, if nsswitch.conf is configured.
account            required          pam_unix.so

 # We don't allow changing of (logged-in user account) passwords directly on this machine
 # Use tools on LDAP server instead
password           required          pam_deny.so

 # Log username and service to /var/log/messages (audit trail)
session            required          pam_unix.so


Example /etc/conf.d/autofs

TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

Rescuing a Gentoo System

There are two basic ways to consider:

  • Boot from a CD
  • Build critical/resuce packages on another (working) machine, and then install them on the problematic box
  • Rescue CD Method

    boot from a CD, typically

    boot: gentoo
    

    enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)

    livecd root # swapon /dev/sda2
    

    mount the main (root) partition, optionally the boot partition

    livecd root # mount /dev/sda3 /mnt/gentoo
    livecd root # mount /dev/sda1 /mnt/gentoo/boot
    

    get some networking going

    livecd root # dhcpcd &
    livecd root # ifconfig eth0 up
    livecd root # ifconfig  (verify we got an IP)
    

    prepare for chrooting

    livecd root # mount -t proc none /mnt/gentoo/proc
    livecd root # mount -o bind /dev /mnt/gentoo/dev
    

    set up a new environment root

    livecd root # cd /mnt/gentoo
    livecd gentoo # chroot /mnt/gentoo /bin/bash
    livecd / # env-update
    livecd / # source /etc/profile
    livecd / # export PS1="(chroot) $PS1"
    

    Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):

    livecd / # cp /proc/mounts /etc/mtab
    

    Now, do your rescue work. Good luck!

    To back out of the chroot, and check your fix(es)

    livecd / # exit
    livecd root # cd /
    livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo
    livecd root # reboot
    

    Build Critical/Rescue files on Another Machine

    This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are coreutils, binutils, or gcc. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.
    HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.

    On the build-host, as root:

    buildhost root # emerge -B <problem_packages>   <you can, or course, test the build by using the -p/--pretend option:  emerge -pB>
    

    This builds a .tbz2 tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under /usr/portage/packages/<category>/<problem_package>. We must now copy this over to the targe machine (the one to be rescued):

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/All/
    

    OR (depending on system specifics)

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/<category>
    

    Now move over to the target machine (the one to be rescued):

    target root # emerge -K <problem_packages>   <again, you can test the installation by invoking emerge -pK>
    


    Linux Tips and Tools

    Linux Tips and Tools