Linux Administration & Maintenance: Difference between revisions

From Research
Jump to navigation Jump to search
← Older edit
Hha13 (talk | contribs)
240 edits
No edit summary
 
(44 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Gentoo==
==Gentoo==
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br>
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br>
  GENTOO_MIRRORS="http://mirror.iat.sfu.ca/gentoo/"
  GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br>
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br>
Robin: "For best performance, I recommend mounting
Robin: "For best performance, I recommend mounting
Line 10: Line 10:


===LDAP Authentication, and Home-Directory AutoMounting===
===LDAP Authentication, and Home-Directory AutoMounting===
First, make sure you have the necessary packages on your system:
First, make sure you have the necessary packages on your system '''(NOTE:  enable LDAP USE-FLAG where it appears, like autofs)''':
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs'''


There are five configuration files, and three directories which must be correct:
There are seven configuration files, and two directories which must be correct:


  /etc/ldap.conf
  /etc/ldap.conf
  /etc/nsswitch.conf
  /etc/nsswitch.conf
  /etc/autofs/auto.master
  /etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
  /etc/pam.d/system-auth
  /etc/pam.d/system-auth
  /bin/localshell
  /bin/localshell
  /home/users/
  /home/users/
  /home/projects/
  /home/projects/
/etc/localshell/
 


Create the necessary directories:
Create the necessary directories:
Line 29: Line 32:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /etc/localshell'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /etc/localshell'''


Copy over the /etc/localshell/* and /bin/localshell from a working machine.
Emerge localshell and copy over [[/etc/localshell.conf]] from a working machine.
 
Modify /etc/shells to include /bin/localshell as a valid shell, like this:
# /etc/shells: valid login shells
'''/bin/localshell'''
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh
 


Example /etc/ldap.conf, with commented-out portions omitted
Example /etc/ldap.conf, with commented-out portions omitted
Line 59: Line 77:
  nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
  nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
  nss_base_netgroup      ou=Netgroup,dc=iat,dc=sfu,dc=ca
  nss_base_netgroup      ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 1 # max sleep value to cap at
nss_reconnect_maxconntries 3 # how many tries before sleeping


<s>Create and populate /etc/ldap.secret from a working machine.</s>


Example nsswitch.conf:
Example /etc/nsswitch.conf:


  passwd:      compat ldap
  passwd:      compat ldap [UNAVAIL=return]
  shadow:      compat ldap
  shadow:      compat ldap [UNAVAIL=return]
  group:      compat ldap
  group:      compat ldap [UNAVAIL=return]
   
   
  # passwd:    db files nis
  # passwd:    db files nis
Line 94: Line 117:
Example /etc/pam.d/system-auth
Example /etc/pam.d/system-auth


auth       required    /lib/security/pam_env.so
  # Prompt user for pass, check against unix auth-method.
auth      sufficient   /lib/security/pam_unix.so likeauth nullok
   # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
auth      sufficient   /lib/security/pam_ldap.so use_first_pass
   # Certain users or services may have blank passwords; we'll allow these to succeed
  auth       required     /lib/security/pam_deny.so
  auth               required         pam_unix.so nullok
   
   
  account   required     /lib/security/pam_unix.so
  # Account verification, password expiration.
account    sufficient  /lib/security/pam_ldap.so
  # Also checks LDAP, if nsswitch.conf is configured.
  account           required         pam_unix.so
   
   
password  required    /lib/security/pam_cracklib.so retry=3
   # We don't allow changing of (logged-in user account) passwords directly on this machine
password   sufficient  /lib/security/pam_unix.so nullok md5 shadow use_authtok
   # Use tools on LDAP server instead
password   sufficient  /lib/security/pam_ldap.so use_authtok
  password           required         pam_deny.so
  password   required     /lib/security/pam_deny.so
   
   
session    required    /lib/security/pam_limits.so
  # Log username and service to /var/log/messages (audit trail)
  session   required     /lib/security/pam_unix.so
  session           required         pam_unix.so
session    required    /lib/security/pam_ldap.so
 
 
 
Example /etc/conf.d/autofs
 
TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"


===Rescuing a Gentoo System===
===Rescuing a Gentoo System===
There are two basic ways to consider:<br>
<li>  Boot from a CD
<li>  Build critical/resuce packages on another (working) machine, and then install them on the problematic box
</li>
====Rescue CD Method====
boot from a CD, typically
boot from a CD, typically
  boot: '''gentoo'''
  boot: '''gentoo'''
enable swap
enable swap ''(of course, '''your''' swap-partition may differ!  Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)''
  <font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2'''
mount the main (root) partition, optionally the boot partition
mount the main (root) partition, optionally the boot partition
Line 124: Line 164:
  <font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig'''  ''(verify we got an IP)''
  <font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig'''  ''(verify we got an IP)''
prepare for chrooting
prepare for chrooting
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /proc /mnt/gentoo/proc'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -t proc none /mnt/gentoo/proc'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev'''
<font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /sys /mnt/gentoo/sys'''
set up a new environment root
set up a new environment root
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo'''
Line 132: Line 171:
  <font color=red>livecd</font> <font color=blue>/ #</font> '''env-update'''
  <font color=red>livecd</font> <font color=blue>/ #</font> '''env-update'''
  <font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile'''
  <font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile'''
<font color=red>livecd</font> <font color=blue>/ #</font> '''export PS1="(chroot) $PS1"'''
Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):
<font color=red>livecd</font> <font color=blue>/ #</font> '''cp /proc/mounts /etc/mtab'''


Now, do your rescue work.  Good luck!
Now, do your rescue work.  Good luck!
Line 138: Line 180:
  <font color=red>livecd</font> <font color=blue>/ #</font> <font color=black>'''exit'''
  <font color=red>livecd</font> <font color=blue>/ #</font> <font color=black>'''exit'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''cd /'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo/sys /mnt/gentoo'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''reboot'''
  <font color=red>livecd</font> <font color=blue>root #</font> '''reboot'''


==SUSE==
====Build Critical/Rescue files on Another Machine====
On-Campus, we can speed installation/updates by using a local source:<br>
This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are '''coreutils''', '''binutils''', or '''gcc'''. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.<br>
nfs://export/mirror/suse<br>
HINT:  even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.<br>
 
 
* TODO: Instructions for install with LDAP working
* TODO: Instructions for auto-update configuration
 
==RedHat/Fedora==
* TODO: Instructions for install with LDAP working
 
==Ubuntu==
 
Below are instructions for setting up a Ubuntu Linux workstation. All instructions are for version 7.04.
 
To enable the use of dual-monitor display on an Nvidia video card, follow these instructions:
 
* First enable the Nvidia driver, by clicking on System > Administration > Restricted Drivers Manger, authenticating, and checking "Enabled". Close the manager.
 
* Next run the following command in a Terminal, and authenticate when prompted:
user@host:/~$ '''gksudo nvidia-settings'''


*On the left side of the GUI, go to 'X Server Display Configuration'. Enable both displays, and choose TwinView for Configuration type. Make sure the resolutions match your monitors. Hit 'Apply' to see if these setting work for you. Your monitors should now turn into one big screen. Accept the configuration if this is true, otherwise cancel and fix the settings.  
On the build-host, as root:
 
<font color=red>buildhost</font> <font color=blue>root #</font> '''emerge -B ''<problem_packages>'''''   ''<you can, or course, test the build by using the -p/--pretend option:  emerge -pB>''
*Now press 'Quit' in the bottom right, log out, then log back in. You should no longer see one large screen, but a main display on the left and a secondary on the right (if this is how you configured it), and you should be able to drag windows from a window back to the other.
This builds a '''.tbz2''' tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under '''/usr/portage/packages/''<category>/<problem_package>'''''.  We must now copy this over to the targe machine (the one to be rescued):
 
  <font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/All/'''
*Run the 'gksudo nvidia-settings' command above one more time. If you are satisfied with your settings, click 'Save to X Configuration File' and quit.
'''OR''' (depending on system specifics)
 
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/''<category>'''''
===LDAP Authentication, and Home-Directory AutoMounting===
Now move over to the target machine (the one to be rescued):
<font color=red>target</font> <font color=blue>root #</font> '''emerge -K ''<problem_packages>'''''  ''<again, you can test the installation by invoking emerge -pK>''


*Save to X Configuration File after logout/login
*sudo apt-get install ssh openssh-server
*sudo passwd root
*libnss-ldap.conf same as pam_ldap.conf
*nsswitch.conf
*/etc/pam.d/commom files
*use_first_pass
*http://www.marzocca.net/linux/bum.html


==Linux Tips and Tools==
==Linux Tips and Tools==
[[Linux Tips and Tools]]
[[Linux Tips and Tools]]

Latest revision as of 19:37, 28 August 2015

Gentoo

On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:

GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"

An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation

LDAP Authentication, and Home-Directory AutoMounting

First, make sure you have the necessary packages on your system (NOTE: enable LDAP USE-FLAG where it appears, like autofs): 

hostname ~ # emerge -v pam_ldap nss_ldap autofs

There are seven configuration files, and two directories which must be correct: 

/etc/ldap.conf
/etc/nsswitch.conf
/etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
/etc/pam.d/system-auth
/bin/localshell

/home/users/
/home/projects/


Create the necessary directories: 

hostname ~ # mkdir /home/users
hostname ~ # mkdir /home/projects
hostname ~ # mkdir /etc/localshell

Emerge localshell and copy over /etc/localshell.conf from a working machine.

Modify /etc/shells to include /bin/localshell as a valid shell, like this: 

# /etc/shells: valid login shells
/bin/localshell
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh


Example /etc/ldap.conf, with commented-out portions omitted 

# Your LDAP server. Must be resolvable without using LDAP.
host 209.87.56.238

# The distinguished name of the search base.
base dc=iat,dc=sfu,dc=ca

# The distinguished name to bind to the server with.
binddn cn=Reader,dc=iat,dc=sfu,dc=ca

# The credentials to bind with.
bindpw <supersecret!!>

# RFC2307bis naming contexts
nss_base_passwd         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_shadow         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_group          ou=Group,dc=iat,dc=sfu,dc=ca
nss_base_hosts          ou=Hosts,dc=iat,dc=sfu,dc=ca
nss_base_services       ou=Services,dc=iat,dc=sfu,dc=ca
nss_base_networks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_protocols      ou=Protocols,dc=iat,dc=sfu,dc=ca
nss_base_rpc            ou=Rpc,dc=iat,dc=sfu,dc=ca
nss_base_ethers         ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_netmasks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_bootparams     ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
nss_base_netgroup       ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1			# number of times to double the sleep time
nss_reconnect_sleeptime 1		# initial sleep value
nss_reconnect_maxsleeptime 1	# max sleep value to cap at
nss_reconnect_maxconntries 3	# how many tries before sleeping

Create and populate /etc/ldap.secret from a working machine.

Example /etc/nsswitch.conf: 

passwd:      compat ldap [UNAVAIL=return]
shadow:      compat ldap [UNAVAIL=return]
group:       compat ldap [UNAVAIL=return]

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Example /etc/autofs/auto.master 

/home/users     ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca
/home/projects  ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca


Example /etc/pam.d/system-auth 

 # Prompt user for pass, check against unix auth-method.
 # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
 # Certain users or services may have blank passwords; we'll allow these to succeed
auth               required          pam_unix.so nullok

 # Account verification, password expiration.
 # Also checks LDAP, if nsswitch.conf is configured.
account            required          pam_unix.so

 # We don't allow changing of (logged-in user account) passwords directly on this machine
 # Use tools on LDAP server instead
password           required          pam_deny.so

 # Log username and service to /var/log/messages (audit trail)
session            required          pam_unix.so


Example /etc/conf.d/autofs 

TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

Rescuing a Gentoo System

There are two basic ways to consider:

  • Boot from a CD
  • Build critical/resuce packages on another (working) machine, and then install them on the problematic box

    • Rescue CD Method

    boot from a CD, typically 

    boot: gentoo

    enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2) 

    livecd root # swapon /dev/sda2

    mount the main (root) partition, optionally the boot partition 

    livecd root # mount /dev/sda3 /mnt/gentoo
livecd root # mount /dev/sda1 /mnt/gentoo/boot

    get some networking going 

    livecd root # dhcpcd &
livecd root # ifconfig eth0 up
livecd root # ifconfig  (verify we got an IP)

    prepare for chrooting 

    livecd root # mount -t proc none /mnt/gentoo/proc
livecd root # mount -o bind /dev /mnt/gentoo/dev

    set up a new environment root 

    livecd root # cd /mnt/gentoo
livecd gentoo # chroot /mnt/gentoo /bin/bash
livecd / # env-update
livecd / # source /etc/profile
livecd / # export PS1="(chroot) $PS1"

    Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB): 

    livecd / # cp /proc/mounts /etc/mtab

    Now, do your rescue work. Good luck!

    To back out of the chroot, and check your fix(es) 

    livecd / # exit
livecd root # cd /
livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo
livecd root # reboot

    Build Critical/Rescue files on Another Machine

    This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are coreutils, binutils, or gcc. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.
    HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.

    On the build-host, as root: 

    buildhost root # emerge -B <problem_packages>   <you can, or course, test the build by using the -p/--pretend option:  emerge -pB>

    This builds a .tbz2 tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under /usr/portage/packages/<category>/<problem_package>. We must now copy this over to the targe machine (the one to be rescued): 

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/All/

    OR (depending on system specifics) 

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/<category>

    Now move over to the target machine (the one to be rescued): 

    target root # emerge -K <problem_packages>   <again, you can test the installation by invoking emerge -pK>


    Linux Tips and Tools

    Linux Tips and Tools

    Retrieved from "https://research.iat.sfu.ca/research/index.php?title=Linux_Administration_%26_Maintenance&oldid=5766"