Linux Administration & Maintenance

From SR
Jump to: navigation, search

Gentoo

On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:

GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"

An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation

LDAP Authentication, and Home-Directory AutoMounting

First, make sure you have the necessary packages on your system (NOTE: enable LDAP USE-FLAG where it appears, like autofs):

hostname ~ # emerge -v pam_ldap nss_ldap autofs

There are seven configuration files, and two directories which must be correct:

/etc/ldap.conf
/etc/nsswitch.conf
/etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
/etc/pam.d/system-auth
/bin/localshell
/home/users/
/home/projects/


Create the necessary directories:

hostname ~ # mkdir /home/users
hostname ~ # mkdir /home/projects
hostname ~ # mkdir /etc/localshell

Emerge localshell and copy over /etc/localshell.conf from a working machine.

Modify /etc/shells to include /bin/localshell as a valid shell, like this:

# /etc/shells: valid login shells
/bin/localshell
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh


Example /etc/ldap.conf, with commented-out portions omitted

# Your LDAP server. Must be resolvable without using LDAP.
host 209.87.56.238

# The distinguished name of the search base.
base dc=iat,dc=sfu,dc=ca

# The distinguished name to bind to the server with.
binddn cn=Reader,dc=iat,dc=sfu,dc=ca

# The credentials to bind with.
bindpw <supersecret!!>

# RFC2307bis naming contexts
nss_base_passwd         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_shadow         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_group          ou=Group,dc=iat,dc=sfu,dc=ca
nss_base_hosts          ou=Hosts,dc=iat,dc=sfu,dc=ca
nss_base_services       ou=Services,dc=iat,dc=sfu,dc=ca
nss_base_networks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_protocols      ou=Protocols,dc=iat,dc=sfu,dc=ca
nss_base_rpc            ou=Rpc,dc=iat,dc=sfu,dc=ca
nss_base_ethers         ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_netmasks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_bootparams     ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
nss_base_netgroup       ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1			# number of times to double the sleep time
nss_reconnect_sleeptime 1		# initial sleep value
nss_reconnect_maxsleeptime 1	# max sleep value to cap at
nss_reconnect_maxconntries 3	# how many tries before sleeping

Create and populate /etc/ldap.secret from a working machine.

Example /etc/nsswitch.conf:

passwd:      compat ldap [UNAVAIL=return]
shadow:      compat ldap [UNAVAIL=return]
group:       compat ldap [UNAVAIL=return]

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Example /etc/autofs/auto.master

/home/users     ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca
/home/projects  ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca


Example /etc/pam.d/system-auth

 # Prompt user for pass, check against unix auth-method.
 # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
 # Certain users or services may have blank passwords; we'll allow these to succeed
auth               required          pam_unix.so nullok

 # Account verification, password expiration.
 # Also checks LDAP, if nsswitch.conf is configured.
account            required          pam_unix.so

 # We don't allow changing of (logged-in user account) passwords directly on this machine
 # Use tools on LDAP server instead
password           required          pam_deny.so

 # Log username and service to /var/log/messages (audit trail)
session            required          pam_unix.so


Example /etc/conf.d/autofs

TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

Rescuing a Gentoo System

There are two basic ways to consider:

  • Boot from a CD
  • Build critical/resuce packages on another (working) machine, and then install them on the problematic box
  • Rescue CD Method

    boot from a CD, typically

    boot: gentoo
    

    enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)

    livecd root # swapon /dev/sda2
    

    mount the main (root) partition, optionally the boot partition

    livecd root # mount /dev/sda3 /mnt/gentoo
    livecd root # mount /dev/sda1 /mnt/gentoo/boot
    

    get some networking going

    livecd root # dhcpcd &
    livecd root # ifconfig eth0 up
    livecd root # ifconfig  (verify we got an IP)
    

    prepare for chrooting

    livecd root # mount -t proc none /mnt/gentoo/proc
    livecd root # mount -o bind /dev /mnt/gentoo/dev
    

    set up a new environment root

    livecd root # cd /mnt/gentoo
    livecd gentoo # chroot /mnt/gentoo /bin/bash
    livecd / # env-update
    livecd / # source /etc/profile
    livecd / # export PS1="(chroot) $PS1"
    

    Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):

    livecd / # cp /proc/mounts /etc/mtab
    

    Now, do your rescue work. Good luck!

    To back out of the chroot, and check your fix(es)

    livecd / # exit
    livecd root # cd /
    livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo
    livecd root # reboot
    

    Build Critical/Rescue files on Another Machine

    This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are coreutils, binutils, or gcc. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.
    HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.

    On the build-host, as root:

    buildhost root # emerge -B <problem_packages>   <you can, or course, test the build by using the -p/--pretend option:  emerge -pB>
    

    This builds a .tbz2 tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under /usr/portage/packages/<category>/<problem_package>. We must now copy this over to the targe machine (the one to be rescued):

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/All/
    

    OR (depending on system specifics)

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/<category>
    

    Now move over to the target machine (the one to be rescued):

    target root # emerge -K <problem_packages>   <again, you can test the installation by invoking emerge -pK>
    


    Linux Tips and Tools

    Linux Tips and Tools