Linux Administration & Maintenance: Difference between revisions

From Research
Jump to navigation Jump to search
 
(78 intermediate revisions by 5 users not shown)
Line 1: Line 1:
==Gentoo==
==Gentoo==
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br>
On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:<br>
GENTOO_MIRRORS="http://mirror.iat.sfu.ca/gentoo/"<br>
GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br>
An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(<br>
Robin: "For best performance, I recommend mounting
musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles
and specifying that in your make.conf.  The NFS route ensures that downloaded files go back into the mirror."
<br>
[[Gentoo Local-Mirror Operation]]


===LDAP Authentication, and Home-Directory AutoMounting===
First, make sure you have the necessary packages on your system '''(NOTE:  enable LDAP USE-FLAG where it appears, like autofs)''':
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v pam_ldap nss_ldap autofs'''


* TODO: Find other documents about how to maintain a Gentoo machine, primarily for Gordon and Mark.
There are seven configuration files, and two directories which must be correct:
* TODO: Custom gentoo configuration stuff that we use


==SUSE==
/etc/ldap.conf
On-Campus, we can speed installation/updates by using a local source:<br>
/etc/nsswitch.conf
nfs://export/mirror/suse<br>
/etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
/etc/pam.d/system-auth
/bin/localshell


/home/users/
/home/projects/


* TODO: Instructions for install with LDAP working
* TODO: Instructions for auto-update configuration


==RedHat/Fedora==
Create the necessary directories:
* TODO: Instructions for install with LDAP working
<font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /home/users'''
==FreeBSD==
<font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /home/projects'''
* TODO: Instructions on configuring the firewall on [[Servers:Dreadnought|Dreadnought]]
<font color=red>hostname</font> <font color=blue>~ #</font> '''mkdir /etc/localshell'''
 
Emerge localshell and copy over [[/etc/localshell.conf]] from a working machine.
 
Modify /etc/shells to include /bin/localshell as a valid shell, like this:
# /etc/shells: valid login shells
'''/bin/localshell'''
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh
 
 
Example /etc/ldap.conf, with commented-out portions omitted
 
# Your LDAP server. Must be resolvable without using LDAP.
host 209.87.56.238
# The distinguished name of the search base.
base dc=iat,dc=sfu,dc=ca
# The distinguished name to bind to the server with.
binddn cn=Reader,dc=iat,dc=sfu,dc=ca
# The credentials to bind with.
bindpw <supersecret!!>
# RFC2307bis naming contexts
nss_base_passwd        ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_shadow        ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_group          ou=Group,dc=iat,dc=sfu,dc=ca
nss_base_hosts          ou=Hosts,dc=iat,dc=sfu,dc=ca
nss_base_services      ou=Services,dc=iat,dc=sfu,dc=ca
nss_base_networks      ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_protocols      ou=Protocols,dc=iat,dc=sfu,dc=ca
nss_base_rpc            ou=Rpc,dc=iat,dc=sfu,dc=ca
nss_base_ethers        ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_netmasks      ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_bootparams    ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
nss_base_netgroup      ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 1 # max sleep value to cap at
nss_reconnect_maxconntries 3 # how many tries before sleeping
 
<s>Create and populate /etc/ldap.secret from a working machine.</s>
 
Example /etc/nsswitch.conf:
 
passwd:      compat ldap [UNAVAIL=return]
shadow:      compat ldap [UNAVAIL=return]
group:      compat ldap [UNAVAIL=return]
# passwd:    db files nis
# shadow:    db files nis
# group:    db files nis
hosts:      files dns
networks:    files dns
services:    db files
protocols:  db files
rpc:        db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:  files
aliases:    files
 
 
Example /etc/autofs/auto.master
 
/home/users    ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca
/home/projects  ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca
 
 
Example /etc/pam.d/system-auth
 
  # Prompt user for pass, check against unix auth-method.
  # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
  # Certain users or services may have blank passwords; we'll allow these to succeed
auth              required          pam_unix.so nullok
  # Account verification, password expiration.
  # Also checks LDAP, if nsswitch.conf is configured.
account            required          pam_unix.so
  # We don't allow changing of (logged-in user account) passwords directly on this machine
  # Use tools on LDAP server instead
password          required          pam_deny.so
  # Log username and service to /var/log/messages (audit trail)
session            required          pam_unix.so
 
 
 
Example /etc/conf.d/autofs
 
TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
 
===Rescuing a Gentoo System===
There are two basic ways to consider:<br>
<li>  Boot from a CD
<li>  Build critical/resuce packages on another (working) machine, and then install them on the problematic box
</li>
====Rescue CD Method====
boot from a CD, typically
boot: '''gentoo'''
enable swap ''(of course, '''your''' swap-partition may differ!  Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2)''
<font color=red>livecd</font> <font color=blue>root #</font> '''swapon /dev/sda2'''
mount the main (root) partition, optionally the boot partition
<font color=red>livecd</font> <font color=blue>root #</font> '''mount /dev/sda3 /mnt/gentoo'''
<font color=red>livecd</font> <font color=blue>root #</font> '''mount /dev/sda1 /mnt/gentoo/boot'''
get some networking going
<font color=red>livecd</font> <font color=blue>root #</font> '''dhcpcd &'''
<font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig eth0 up'''
<font color=red>livecd</font> <font color=blue>root #</font> '''ifconfig'''  ''(verify we got an IP)''
prepare for chrooting
<font color=red>livecd</font> <font color=blue>root #</font> '''mount -t proc none /mnt/gentoo/proc'''
<font color=red>livecd</font> <font color=blue>root #</font> '''mount -o bind /dev /mnt/gentoo/dev'''
set up a new environment root
<font color=red>livecd</font> <font color=blue>root #</font> '''cd /mnt/gentoo'''
<font color=red>livecd</font> <font color=blue>gentoo #</font> '''chroot /mnt/gentoo /bin/bash'''
<font color=red>livecd</font> <font color=blue>/ #</font> '''env-update'''
<font color=red>livecd</font> <font color=blue>/ #</font> '''source /etc/profile'''
<font color=red>livecd</font> <font color=blue>/ #</font> '''export PS1="(chroot) $PS1"'''
Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB):
<font color=red>livecd</font> <font color=blue>/ #</font> '''cp /proc/mounts /etc/mtab'''
 
Now, do your rescue work.  Good luck!
 
To back out of the chroot, and check your fix(es)
<font color=red>livecd</font> <font color=blue>/ #</font> <font color=black>'''exit'''
<font color=red>livecd</font> <font color=blue>root #</font> '''cd /'''
<font color=red>livecd</font> <font color=blue>root #</font> '''umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo'''
<font color=red>livecd</font> <font color=blue>root #</font> '''reboot'''
 
====Build Critical/Rescue files on Another Machine====
This approach is commonly required when a machine is in such a state that it cannot compile successfully.  Often the broken culprits are '''coreutils''', '''binutils''', or '''gcc'''.  If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.<br>
HINT:  even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.<br>
 
On the build-host, as root:
<font color=red>buildhost</font> <font color=blue>root #</font> '''emerge -B ''<problem_packages>'''''  ''<you can, or course, test the build by using the -p/--pretend option:  emerge -pB>''
This builds a '''.tbz2''' tarball, with emerge information included, but does not install it onto the build-host system.  Typically this will be found on the buildhost under '''/usr/portage/packages/''<category>/<problem_package>'''''.  We must now copy this over to the targe machine (the one to be rescued):
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/All/'''
'''OR''' (depending on system specifics)
<font color=red>buildhost</font> <font color=blue>root #</font> '''scp /usr/portage/packages/''<category>/<problem_package>'' root@target:/usr/portage/packages/''<category>'''''
Now move over to the target machine (the one to be rescued):
<font color=red>target</font> <font color=blue>root #</font> '''emerge -K ''<problem_packages>'''''  ''<again, you can test the installation by invoking emerge -pK>''
 
 
==Linux Tips and Tools==
[[Linux Tips and Tools]]

Latest revision as of 19:37, 28 August 2015

Gentoo

On-Campus, we can speed installation/updates by using a local source; in your /etc/make.conf:

GENTOO_MIRRORS="rsync://musashi.iat.sfu.ca/gentoo/"

An alternative is to use an NFS mount, but if NFS breaks or is unavailable... :-(
Robin: "For best performance, I recommend mounting musashi.iat.sfu.ca:/export/gentoo/distfiles on /mnt/distfiles and specifying that in your make.conf. The NFS route ensures that downloaded files go back into the mirror."
Gentoo Local-Mirror Operation

LDAP Authentication, and Home-Directory AutoMounting

First, make sure you have the necessary packages on your system (NOTE: enable LDAP USE-FLAG where it appears, like autofs): 

hostname ~ # emerge -v pam_ldap nss_ldap autofs

There are seven configuration files, and two directories which must be correct: 

/etc/ldap.conf
/etc/nsswitch.conf
/etc/auto.master
/etc/conf.d/autofs
/etc/localshell.conf
/etc/pam.d/system-auth
/bin/localshell

/home/users/
/home/projects/


Create the necessary directories: 

hostname ~ # mkdir /home/users
hostname ~ # mkdir /home/projects
hostname ~ # mkdir /etc/localshell

Emerge localshell and copy over /etc/localshell.conf from a working machine.

Modify /etc/shells to include /bin/localshell as a valid shell, like this: 

# /etc/shells: valid login shells
/bin/localshell
/bin/bash
/usr/bin/nxserver
/bin/csh
/bin/esh
/bin/fish
/bin/ksh
/bin/sash
/bin/sh
/bin/tcsh
/bin/zsh


Example /etc/ldap.conf, with commented-out portions omitted 

# Your LDAP server. Must be resolvable without using LDAP.
host 209.87.56.238

# The distinguished name of the search base.
base dc=iat,dc=sfu,dc=ca

# The distinguished name to bind to the server with.
binddn cn=Reader,dc=iat,dc=sfu,dc=ca

# The credentials to bind with.
bindpw <supersecret!!>

# RFC2307bis naming contexts
nss_base_passwd         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_shadow         ou=Users,dc=iat,dc=sfu,dc=ca
nss_base_group          ou=Group,dc=iat,dc=sfu,dc=ca
nss_base_hosts          ou=Hosts,dc=iat,dc=sfu,dc=ca
nss_base_services       ou=Services,dc=iat,dc=sfu,dc=ca
nss_base_networks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_protocols      ou=Protocols,dc=iat,dc=sfu,dc=ca
nss_base_rpc            ou=Rpc,dc=iat,dc=sfu,dc=ca
nss_base_ethers         ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_netmasks       ou=Networks,dc=iat,dc=sfu,dc=ca
nss_base_bootparams     ou=Ethers,dc=iat,dc=sfu,dc=ca
nss_base_aliases        ou=Aliases,dc=iat,dc=sfu,dc=ca
nss_base_netgroup       ou=Netgroup,dc=iat,dc=sfu,dc=ca
nss_reconnect_tries 1			# number of times to double the sleep time
nss_reconnect_sleeptime 1		# initial sleep value
nss_reconnect_maxsleeptime 1	# max sleep value to cap at
nss_reconnect_maxconntries 3	# how many tries before sleeping

Create and populate /etc/ldap.secret from a working machine.

Example /etc/nsswitch.conf: 

passwd:      compat ldap [UNAVAIL=return]
shadow:      compat ldap [UNAVAIL=return]
group:       compat ldap [UNAVAIL=return]

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Example /etc/autofs/auto.master 

/home/users     ldap:209.87.56.238:ou=home.users,ou=AutoFS,dc=iat,dc=sfu,dc=ca
/home/projects  ldap:209.87.56.238:ou=home.projects,ou=AutoFS,dc=iat,dc=sfu,dc=ca


Example /etc/pam.d/system-auth 

 # Prompt user for pass, check against unix auth-method.
 # Includes nsswitch, so an LDAP pass will succeed, if nsswitch is configured.
 # Certain users or services may have blank passwords; we'll allow these to succeed
auth               required          pam_unix.so nullok

 # Account verification, password expiration.
 # Also checks LDAP, if nsswitch.conf is configured.
account            required          pam_unix.so

 # We don't allow changing of (logged-in user account) passwords directly on this machine
 # Use tools on LDAP server instead
password           required          pam_deny.so

 # Log username and service to /var/log/messages (audit trail)
session            required          pam_unix.so


Example /etc/conf.d/autofs 

TIMEOUT=300
BROWSE_MODE="no"
USE_MISC_DEVICE="yes"
MAP_OBJECT_CLASS="organizationalUnit"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

Rescuing a Gentoo System

There are two basic ways to consider:

  • Boot from a CD
  • Build critical/resuce packages on another (working) machine, and then install them on the problematic box

    • Rescue CD Method

    boot from a CD, typically 

    boot: gentoo

    enable swap (of course, your swap-partition may differ! Most of ours are the second primary partion, whether /dev/hda2, or /dev/sda2, or /dev/sdb2) 

    livecd root # swapon /dev/sda2

    mount the main (root) partition, optionally the boot partition 

    livecd root # mount /dev/sda3 /mnt/gentoo
livecd root # mount /dev/sda1 /mnt/gentoo/boot

    get some networking going 

    livecd root # dhcpcd &
livecd root # ifconfig eth0 up
livecd root # ifconfig  (verify we got an IP)

    prepare for chrooting 

    livecd root # mount -t proc none /mnt/gentoo/proc
livecd root # mount -o bind /dev /mnt/gentoo/dev

    set up a new environment root 

    livecd root # cd /mnt/gentoo
livecd gentoo # chroot /mnt/gentoo /bin/bash
livecd / # env-update
livecd / # source /etc/profile
livecd / # export PS1="(chroot) $PS1"

    Grub reads the /etc/mtab file to learn about the currently mounted filesystems (you only need to do this if your rescue-work involves GRUB): 

    livecd / # cp /proc/mounts /etc/mtab

    Now, do your rescue work. Good luck!

    To back out of the chroot, and check your fix(es) 

    livecd / # exit
livecd root # cd /
livecd root # umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo
livecd root # reboot

    Build Critical/Rescue files on Another Machine

    This approach is commonly required when a machine is in such a state that it cannot compile successfully. Often the broken culprits are coreutils, binutils, or gcc. If the machine cannot compile, we can use another similarly-configured / similar-architecture computer to build binary packages for us; these are then simply copied, unpacked and quickly installed onto the problem machine.
    HINT: even if you don't have a broken system, this approach of build on one machine / install on another can be a real time-saver, if your build-host is a fast machine.

    On the build-host, as root: 

    buildhost root # emerge -B <problem_packages>   <you can, or course, test the build by using the -p/--pretend option:  emerge -pB>

    This builds a .tbz2 tarball, with emerge information included, but does not install it onto the build-host system. Typically this will be found on the buildhost under /usr/portage/packages/<category>/<problem_package>. We must now copy this over to the targe machine (the one to be rescued): 

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/All/

    OR (depending on system specifics) 

    buildhost root # scp /usr/portage/packages/<category>/<problem_package> root@target:/usr/portage/packages/<category>

    Now move over to the target machine (the one to be rescued): 

    target root # emerge -K <problem_packages>   <again, you can test the installation by invoking emerge -pK>


    Linux Tips and Tools

    Linux Tips and Tools

    Retrieved from "https://research.wiki.iat.sfu.ca/research/index.php?title=Linux_Administration_%26_Maintenance&oldid=5766"