Linux Administration & Maintenance: Difference between revisions
(73 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
==Gentoo== | ==Gentoo== | ||
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br> | On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br> | ||
GENTOO_MIRRORS=" | GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/" | ||
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br> | An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br> | ||
Robin: "For best performance, I recommend mounting | Robin: "For best performance, I recommend mounting | ||
musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles | musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles | ||
and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror." | and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror." | ||
<br> | |||
[[Gentoo Local-Mirror Operation]] | |||
===LDAP Authentication, and Home-Directory AutoMounting=== | |||
First, make sure you have the necessary packages on your system '''(NOTE: enable LDAP USE-FLAG where it appears, like autofs)''': | |||
===LDAP== | <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs''' | ||
There are seven configuration files, and two directories which must be correct: | |||
/etc/ldap.conf | |||
/etc/nsswitch.conf | |||
/etc/auto.master | |||
/etc/conf.d/autofs | |||
/etc/localshell.conf | |||
/etc/pam.d/system-auth | |||
/bin/localshell | |||
/home/users/ | |||
/home/projects/ | |||
Create the necessary directories: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /home/users''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /home/projects''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /etc/localshell''' | |||
Emerge localshell and copy over [[/etc/localshell.conf]] from a working machine. | |||
Modify /etc/shells to include /bin/localshell as a valid shell, like this: | |||
# /etc/shells: valid login shells | |||
'''/bin/localshell''' | |||
/bin/bash | |||
/usr/bin/nxserver | |||
/bin/csh | |||
/bin/esh | |||
/bin/fish | |||
/bin/ksh | |||
/bin/sash | |||
/bin/sh | |||
/bin/tcsh | |||
/bin/zsh | |||
Example /etc/ldap.conf, with commented-out portions omitted | |||
# Your LDAP server. Must be resolvable without using LDAP. | |||
host 209.87.56.238 | |||
# The distinguished name of the search base. | |||
base dc=iat,dc=sfu,dc=ca | |||
# The distinguished name to bind to the server with. | |||
binddn cn=Reader,dc=iat,dc=sfu,dc=ca | |||
# The credentials to bind with. | |||
bindpw <supersecret!!> | |||
# RFC2307bis naming contexts | |||
nss_base_passwd ou=Users,dc=iat,dc=sfu,dc=ca | |||
nss_base_shadow ou=Users,dc=iat,dc=sfu,dc=ca | |||
nss_base_group ou=Group,dc=iat,dc=sfu,dc=ca | |||
nss_base_hosts ou=Hosts,dc=iat,dc=sfu,dc=ca | |||
nss_base_services ou=Services,dc=iat,dc=sfu,dc=ca | |||
nss_base_networks ou=Networks,dc=iat,dc=sfu,dc=ca | |||
nss_base_protocols ou=Protocols,dc=iat,dc=sfu,dc=ca | |||
nss_base_rpc ou=Rpc,dc=iat,dc=sfu,dc=ca | |||
nss_base_ethers ou=Ethers,dc=iat,dc=sfu,dc=ca | |||
nss_base_netmasks ou=Networks,dc=iat,dc=sfu,dc=ca | |||
nss_base_bootparams ou=Ethers,dc=iat,dc=sfu,dc=ca | |||
nss_base_aliases ou=Aliases,dc=iat,dc=sfu,dc=ca | |||
nss_base_netgroup ou=Netgroup,dc=iat,dc=sfu,dc=ca | |||
nss_reconnect_tries 1 # number of times to double the sleep time | |||
nss_reconnect_sleeptime 1 # initial sleep value | |||
nss_reconnect_maxsleeptime 1 # max sleep value to cap at | |||
nss_reconnect_maxconntries 3 # how many tries before sleeping | |||
<s>Create and populate /etc/ldap.secret from a working machine.</s> | |||
Example /etc/nsswitch.conf: | |||
passwd: compat ldap [UNAVAIL=return] | |||
shadow: compat ldap [UNAVAIL=return] | |||
group: compat ldap [UNAVAIL=return] | |||
# passwd: db files nis | |||
# shadow: db files nis | |||
# group: db files nis | |||
hosts: files dns | |||
networks: files dns | |||
services: db files | |||
protocols: db files | |||
rpc: db files | |||
ethers: db files | |||
netmasks: files | |||
netgroup: files | |||
bootparams: files | |||
automount: files | |||
aliases: files | |||
Example /etc/autofs/auto.master | |||
/home/users ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca | |||
/home/projects ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca | |||
Example /etc/pam.d/system-auth | |||
# Prompt user for pass, check against unix auth-method. | |||
# Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured. | |||
# Certain users or services may have blank passwords; we'll allow these to succeed | |||
auth required pam_unix.so nullok | |||
# Account verification, password expiration. | |||
# Also checks LDAP, if nsswitch.conf is configured. | |||
account required pam_unix.so | |||
# We don't allow changing of (logged-in user account) passwords directly on this machine | |||
# Use tools on LDAP server instead | |||
password required pam_deny.so | |||
# Log username and service to /var/log/messages (audit trail) | |||
session required pam_unix.so | |||
Example /etc/conf.d/autofs | |||
TIMEOUT=300 | |||
BROWSE_MODE="no" | |||
USE_MISC_DEVICE="yes" | |||
MAP_OBJECT_CLASS="organizationalUnit" | |||
ENTRY_OBJECT_CLASS="automount" | |||
MAP_ATTRIBUTE="ou" | |||
ENTRY_ATTRIBUTE="cn" | |||
VALUE_ATTRIBUTE="automountInformation" | |||
===Rescuing a Gentoo System=== | ===Rescuing a Gentoo System=== | ||
There are two basic ways to consider:<br> | |||
<li> Boot from a CD | |||
<li> Build critical/resuce packages on another (working) machine, and then install them on the problematic box | |||
</li> | |||
====Rescue CD Method==== | |||
boot from a CD, typically | boot from a CD, typically | ||
boot: '''gentoo''' | boot: '''gentoo''' | ||
enable swap | enable swap ''(of course, '''your''' swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)'' | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2''' | <font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2''' | ||
mount the main (root) partition, optionally the boot partition | mount the main (root) partition, optionally the boot partition | ||
Line 26: | Line 164: | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig''' ''(verify we got an IP)'' | <font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig''' ''(verify we got an IP)'' | ||
prepare for chrooting | prepare for chrooting | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''mount - | <font color=red>livecd</font> <font color=blue>root #</font> '''mount -t proc none /mnt/gentoo/proc''' | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev''' | <font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev''' | ||
set up a new environment root | set up a new environment root | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo''' | <font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo''' | ||
Line 34: | Line 171: | ||
<font color=red>livecd</font> <font color=blue>/ #</font> '''env-update''' | <font color=red>livecd</font> <font color=blue>/ #</font> '''env-update''' | ||
<font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile''' | <font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile''' | ||
<font color=red>livecd</font> <font color=blue>/ #</font> '''export PS1="(chroot) $PS1"''' | |||
Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB): | |||
<font color=red>livecd</font> <font color=blue>/ #</font> '''cp /proc/mounts /etc/mtab''' | |||
Now, do your rescue work. Good luck! | Now, do your rescue work. Good luck! | ||
To back out of the chroot, and check your fix(es) | To back out of the chroot, and check your fix(es) | ||
<font color=red> | <font color=red>livecd</font> <font color=blue>/ #</font> <font color=black>'''exit''' | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''cd /''' | <font color=red>livecd</font> <font color=blue>root #</font> '''cd /''' | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev | <font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo''' | ||
<font color=red>livecd</font> <font color=blue>root #</font> '''reboot''' | <font color=red>livecd</font> <font color=blue>root #</font> '''reboot''' | ||
== | ====Build Critical/Rescue files on Another Machine==== | ||
This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are '''coreutils''', '''binutils''', or '''gcc'''. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.<br> | |||
HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.<br> | |||
On the build-host, as root: | |||
<font color=red>buildhost</font> <font color=blue>root #</font> '''emerge -B ''<problem_packages>''''' ''<you can, or course, test the build by using the -p/--pretend option: emerge -pB>'' | |||
This builds a '''.tbz2''' tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under '''/usr/portage/packages/''<category>/<problem_package>'''''. We must now copy this over to the targe machine (the one to be rescued): | |||
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/All/''' | |||
'''OR''' (depending on system specifics) | |||
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/''<category>''''' | |||
Now move over to the target machine (the one to be rescued): | |||
<font color=red>target</font> <font color=blue>root #</font> '''emerge -K ''<problem_packages>''''' ''<again, you can test the installation by invoking emerge -pK>'' | |||
== | ==Linux Tips and Tools== | ||
[[Linux Tips and Tools]] | |||
Latest revision as of 19:37, 28 August 2015
Gentoo
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:
GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting
musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles
and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation
LDAP Authentication, and Home-Directory AutoMounting
First, make sure you have the necessary packages on your system (NOTE: enable LDAP USE-FLAG where it appears, like autofs):
hostname ~ # emerge -v pam_ldap nss_ldap autofs
There are seven configuration files, and two directories which must be correct:
/etc/ldap.conf /etc/nsswitch.conf /etc/auto.master /etc/conf.d/autofs /etc/localshell.conf /etc/pam.d/system-auth /bin/localshell
/home/users/ /home/projects/
Create the necessary directories:
hostname ~ # mkdir /home/users hostname ~ # mkdir /home/projects hostname ~ # mkdir /etc/localshell
Emerge localshell and copy over /etc/localshell.conf from a working machine.
Modify /etc/shells to include /bin/localshell as a valid shell, like this:
# /etc/shells: valid login shells /bin/localshell /bin/bash /usr/bin/nxserver /bin/csh /bin/esh /bin/fish /bin/ksh /bin/sash /bin/sh /bin/tcsh /bin/zsh
Example /etc/ldap.conf, with commented-out portions omitted
# Your LDAP server. Must be resolvable without using LDAP. host 209.87.56.238 # The distinguished name of the search base. base dc=iat,dc=sfu,dc=ca # The distinguished name to bind to the server with. binddn cn=Reader,dc=iat,dc=sfu,dc=ca # The credentials to bind with. bindpw <supersecret!!> # RFC2307bis naming contexts nss_base_passwd ou=Users,dc=iat,dc=sfu,dc=ca nss_base_shadow ou=Users,dc=iat,dc=sfu,dc=ca nss_base_group ou=Group,dc=iat,dc=sfu,dc=ca nss_base_hosts ou=Hosts,dc=iat,dc=sfu,dc=ca nss_base_services ou=Services,dc=iat,dc=sfu,dc=ca nss_base_networks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_protocols ou=Protocols,dc=iat,dc=sfu,dc=ca nss_base_rpc ou=Rpc,dc=iat,dc=sfu,dc=ca nss_base_ethers ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_netmasks ou=Networks,dc=iat,dc=sfu,dc=ca nss_base_bootparams ou=Ethers,dc=iat,dc=sfu,dc=ca nss_base_aliases ou=Aliases,dc=iat,dc=sfu,dc=ca nss_base_netgroup ou=Netgroup,dc=iat,dc=sfu,dc=ca nss_reconnect_tries 1 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 1 # max sleep value to cap at nss_reconnect_maxconntries 3 # how many tries before sleeping
Create and populate /etc/ldap.secret from a working machine.
Example /etc/nsswitch.conf:
passwd: compat ldap [UNAVAIL=return] shadow: compat ldap [UNAVAIL=return] group: compat ldap [UNAVAIL=return] # passwd: db files nis # shadow: db files nis # group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
Example /etc/autofs/auto.master
/home/users ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca /home/projects ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca
Example /etc/pam.d/system-auth
# Prompt user for pass, check against unix auth-method. # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured. # Certain users or services may have blank passwords; we'll allow these to succeed auth required pam_unix.so nullok # Account verification, password expiration. # Also checks LDAP, if nsswitch.conf is configured. account required pam_unix.so # We don't allow changing of (logged-in user account) passwords directly on this machine # Use tools on LDAP server instead password required pam_deny.so # Log username and service to /var/log/messages (audit trail) session required pam_unix.so
Example /etc/conf.d/autofs
TIMEOUT=300 BROWSE_MODE="no" USE_MISC_DEVICE="yes" MAP_OBJECT_CLASS="organizationalUnit" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="ou" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="automountInformation"
Rescuing a Gentoo System
There are two basic ways to consider:
Rescue CD Method
boot from a CD, typically
boot: gentoo
enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)
livecd root # swapon /dev/sda2
mount the main (root) partition, optionally the boot partition
livecd root # mount /dev/sda3 /mnt/gentoo livecd root # mount /dev/sda1 /mnt/gentoo/boot
get some networking going
livecd root # dhcpcd & livecd root # ifconfig eth0 up livecd root # ifconfig (verify we got an IP)
prepare for chrooting
livecd root # mount -t proc none /mnt/gentoo/proc livecd root # mount -o bind /dev /mnt/gentoo/dev
set up a new environment root
livecd root # cd /mnt/gentoo livecd gentoo # chroot /mnt/gentoo /bin/bash livecd / # env-update livecd / # source /etc/profile livecd / # export PS1="(chroot) $PS1"
Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):
livecd / # cp /proc/mounts /etc/mtab
Now, do your rescue work. Good luck!
To back out of the chroot, and check your fix(es)
livecd / # exit livecd root # cd / livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo livecd root # reboot
Build Critical/Rescue files on Another Machine
This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are coreutils, binutils, or gcc. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.
HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.
On the build-host, as root:
buildhost root # emerge -B <problem_packages> <you can, or course, test the build by using the -p/--pretend option: emerge -pB>
This builds a .tbz2 tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under /usr/portage/packages/<category>/<problem_package>. We must now copy this over to the targe machine (the one to be rescued):
buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/All/
OR (depending on system specifics)
buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/<category>
Now move over to the target machine (the one to be rescued):
target root # emerge -K <problem_packages> <again, you can test the installation by invoking emerge -pK>