Differences between revisions 9 and 10
| Deletions are marked like this. | Additions are marked like this. |
| Line 307: | Line 307: |
| 30 05 * * * root systemd-cat /opt/borgscripts/borg-backup /etc /mnt/backup/gs2 | 30 05 * * * root systemd-cat /opt/borgscripts/borg-backup /etc gs2-root@b:. |
| Line 312: | Line 312: |
|
Write a list of manually (manual) and all (install) installed packages to /etc/packages.[[BR]] This is done by creating systemd templates that effectively do `apt-mark showinstall >/etc/packages/install` and `apt-mark showmanual >/etc/packages/manual` each time /var/log/apt/history.log is modified. {{{ mkdir /etc/packages chgrp oswat /etc/packages cat >/etc/systemd/system/packages-@.path <<EOF [Unit] Description=Monitor apt log file [Path] PathChanged=/var/log/apt/history.log [Install] WantedBy=multi-user.target EOF cat >/etc/systemd/system/packages-@.service <<EOF [Unit] Description=Write list of installed packages to /etc/packages/%i StartLimitIntervalSec=900 StartLimitBurst=4 [Service] Group=oswat Type=oneshot StandardOutput=truncate:/etc/packages/%i ExecStart=apt-mark show%i EOF systemctl enable packages-@manual.path systemctl enable packages-@install.path }}} |
Overview
Basic data
Hostname |
gs2.fluid.tuwien.ac.at |
Model |
Supermicro X10SRW-F S/N: NM154S015315 |
Purpose |
graphics server |
Operating system |
debian |
Management interface |
|
Operator credentials |
user: e322 (@mgs2; allowed to power on/off gs2) |
|
Re2300PrandtlTaylor |
Authentication options |
TU password |
Hardware
CPU |
Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores); Socket: FCLGA2011-3 |
RAM |
32 GiB; up to 256 GB DDR4-2400MHz |
Storage |
500 GB (/) Samsung SSD 850 EVO 500GB |
Graphics card |
GeForce GTX 960 |
BMC |
AST2400 controller |
Motherboard battery type |
CR2032 |
Firmware
BIOS |
Version 3.4, Build Date 2021-06-05 |
BMC |
Version 03.93, Build Date 2021-05-28 |
User's manuals for motherboard/BIOS and BMC/IPMI.
Configuration
All customized configuration files are usually marked by group oswat, sometimes also user oswat,
find /etc -user oswat -o -group oswat
BIOS
press DEL to enter BIOS, F11 for boot menu
Admins
- Thomas Loimer
- Rudolf Ladner (ZID)
Firmware update
Baseboard Management Controller (BMC)
Update firmware, because newer version provides iKVM/HTML5 virtual console and Redfish.
Initially, IP Address of BMC was set to static 128.131.183.xxx - needed to go to the server room and access BMC from the console.
On 2024-04-24, download firmware BMC_X10AST2400-32M_20210528_03.93_STD.zip from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BMC
Unzip, trying to dump current firmware with binary AlUpdate contained in zip-file resulted in core dump.
Log in into GUI of BMC -> Maintenance -> Update Firmware
upload exactly 32 MiB file BMC_X10AST2400-32M_20210528_03.93_STD.bin Uncheck box Preserve configuration; Network settings thankfully remain.
BIOS
Download firmware on 2024-04-24 from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BIOS, file X10SRW1.605.zip, unzip. BIOS update needs an activation key, get one by using the tool from https://github.com/bwachter/supermicro-ipmi-key.[[BR]] Generate activation key, ./supermicro-ipmi-key 0c:c4:7a:37:57:9d, output: 90d4 cdb7 ab21 0cf7 33d0 96fa. Log in into GUI of BMC -> BIOS Update, Choose file (exactly 16 MiB) X10SRW1.605, uncheck any preserve-boxes (ME region, NVRAM, SMBIOS). Click Start Upgrade.
BIOS Settings
Advanced -> PCIe/PCI/PnP Configuration:
RSC-R1UW-E8R SLOT1 PCI-E X8 OPROM, RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM, RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM: Set type to EFI, was Legacy.
Onboard LAN OPROM Type: EFI, was Legacy.
Boot: Set boot type to EFI, was Dual.
Installation of the base system (2024-04-29)
Boot - the only boot media present is PXE booting - choose
Linuxe Network Installs -> Debian -> Text Based Install
Debian Installer
Language: C - no localization
Select your location: Europe -> Austria
keymap to use: American English (since this is the keymap on the virtual iKVM/HTML5 keyboard)
Configure the network: eno1 (yields a dhcp address during installation)-> hostname: gs2
-> domain name: fluid.tuwien.ac.at
Choose a mirror of the Debian archive: enter information manually
-> mirror hostname: gd.tuwien.ac.at
-> mirror directory: /opsys/linux/debian
-> proxy information: (blank)
-> root password: ***
-> Full name for user account: (blank)
-> username: oswat
-> Password for the new user: (same as root)
Partition disks:
-> Guided - use entire disk
-> Select disk to partition: SCSI5 (0,0,0) (sda) - 500.1 GB ATA Samsung SSD 850
-> All files in one partition ... then, change partition to
#1 267.4 MB B f ESP efi_fs EFI System Partition, bootable (choose 265 MiB)
#2 465 GB f ext4 root_fs /
#3 34.8 GB f swap
Configuring popularity-contest: Yes
Software selection: (nothing except)
[*] SSH server
[*] standard system utilities
Reboot
Network
Remove legacy ifupdown, use systemd-networkd and systemd-resolved.
ssh oswat@dhcp1 # Log in to the temporary address # some network details are already set chgrp oswat /etc/hostname # the static IP address cat >/etc/systemd/network/20-gs2.network <<EOF [Match] Type=ether [Network] Description=Static ethernet connection Address=128.130.169.115/25 Gateway=128.130.169.1 DNS=128.130.4.3 DNS=128.131.4.3 Domains=fluid.tuwien.ac.at #NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at NTP=128.130.3.131 128.131.2.3 128.130.2.3 EOF chgrp oswat /etc/systemd/network/20-gs2.network # remove legacy network stack apt purge ifupdown && systemctl start systemd-networkd
After that, the shell freezes, kill ssh, log in again,
ssh oswat@gs2 su - # change to root systemctl enable systemd-networkd # systemd-resolved is supposed to have DNS caching, # use it instead of a manual /etc/resolv.conf file apt install systemd-resolved # these are packages recommended by systemd-resolved; here they are useful apt install libnss-myhostname libnss-resolve # append my public key to .ssh/authorized_keys # scp ed25519.pub >/root/.ssh/authorized_keys
Package sources
Use the local mirror gd.tuwien.ac.at, as entered during installation.
Do not install recommended packages.
chgrp oswat /etc/apt/sources.list echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false chgrp oswat /etc/apt/apt.conf.d/90recommended_false
Have sshd not accept user's environment
Do not forward the client's locale, since there is only C/POSIX on gs1.
apt install patch patch /etc/ssh/sshd_config <<EOF --- /etc/ssh/sshd_config.orig 2023-04-12 16:19:45.904116844 +0200 +++ /etc/ssh/sshd_config 2023-03-29 10:20:37.697903087 +0200 @@ -109,7 +109,7 @@ #Banner none # Allow client to pass locale environment variables -AcceptEnv LANG LC_* +#AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server EOF chgrp oswat /etc/ssh/sshd_config
Allow all members of E322 to log in
apt install libnss-ldapd libpam-ldapd nscd # additionally installs nslcd
Configuring nslcd:
LDAP server URI: ldaps://dc.intern.tuwien.ac.at
search base: ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at
check server's SSL certificate: never
Name services to configure (etc/nsswitch): passwd, group, shadow
cat >>/etc/nslcd.conf <<EOF
#
# CUSTOMIZATION
#
# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw ***
base passwd ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base shadow ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base group ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
# Mappings
filter passwd (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map passwd uid sAMAccountName
map passwd uidNumber employeeID
map passwd gecos cn
map passwd homeDirectory "/home/${sAMAccountName}"
map passwd loginShell "/bin/bash"
map passwd gidNumber "2153"
filter shadow (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map shadow uid sAMAccountName
filter group (cn=E322*)
map group userPassword ""
map group gidNumber objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF
# create home directories on first login
pam-auth-update --enable mkhomedir
# Login message
cat >/etc/motd <<EOF
Welcome to gs2.fluid.tuwien.ac.at
This computer is available for all members of the Institute
of Fluid Mechanics and Heat Transfer. By default, you belong
to group E322 and everybody can read your files. Issue the
command `umask 077` if you want to keep your files private.
EOF
chgrp oswat /etc/nslcd.conf /etc/motd
systemctl restart nslcd
Hibernation
Hibernate after 72 hours idle time. Download loadavgd-1.1.tar.xz from sourceforge, compile and install. Compilation was done on a different machine.
With a swap partition, hibernation works without further customization.
wget https://downloads.sourceforge.net/project/loadavgd/loadavgd-1.1.tar.xz # unpack and compile, see README cp loadavgd /usr/local/sbin/ cp loadavgd.conf /etc/ cp loadavgd.service /etc/systemd/system/ cp loadavgd.8.gz /usr/local/share/man/man8/ patch -p1 /etc/loadavgd.conf <<EOF diff -u old/loadavgd.conf new/loadavgd.conf --- old/loadavgd.conf 2024-05-13 10:50:25.589751201 +0200 +++ new/loadavgd.conf 2024-05-13 10:50:30.133860741 +0200 @@ -12,10 +12,10 @@ # the number of intervals times the duration of an interval. # Currently, must be one of "Suspend", "PowerOff", "Halt", "Hibernate", # "HybridSleep", or "SuspendThenHibernate". -#action = Suspend +action = Hibernate # How many intervals the computer must be idle before the action is taken. -#intervals = 8 +intervals = 288 # Duration of one interval. # Must be 1 for 1 minute, 2 for 5 minutes, or 3 for 15 minutes EOF systemctl enable loadavgd chgrp oswat /etc/loadavgd.conf
Backup configuration (/etc)
Create user gs2-root@b.fluid.tuwien.ac.at, see the description to backup users on page b.
Create a ssh-key, copy the public part to ~gs2-root@b/.ssh/authorized_keys, copy the backup scripts to /opt/backup_scripts and create a cron job for periodic backup. On b, create a cron-job to prune the backups, again see page b.
ssh-keygen -q -t ed25519 -N "" -f ~/.ssh/id_ed25519
# Copy the key to b. root is not allowed to log in, copy via a regular user
{ echo -n 'command="borg serve --restrict-to-path /mnt/backup",restrict '; cat .ssh/id_ed25519.pub; } \
| ssh tloimer@b "cat >/tmp/authorized_keys"
# as root on b, copy authorized_keys to its final destination
root@b$ install -m 600 -o gs2-root -g gs2-root /tmp/authorized_keys /mnt/backup/gs2/.ssh/ \
&& rm /tmp/authorized_keys
# daily backup
git clone oswat@b.fluid.tuwien.ac.at:backup-scripts.git /opt/borgscripts
cat >>/etc/cron.d/borg-backup <<EOF
30 05 * * * root systemd-cat /opt/borgscripts/borg-backup /etc gs2-root@b:.
EOF
chgrp oswat /etc/cron.d/borg-backup
apt install borgbackup
Write a list of manually (manual) and all (install) installed packages to /etc/packages.
This is done by creating systemd templates that effectively do apt-mark showinstall >/etc/packages/install and apt-mark showmanual >/etc/packages/manual each time /var/log/apt/history.log is modified.
mkdir /etc/packages chgrp oswat /etc/packages cat >/etc/systemd/system/packages-@.path <<EOF [Unit] Description=Monitor apt log file [Path] PathChanged=/var/log/apt/history.log [Install] WantedBy=multi-user.target EOF cat >/etc/systemd/system/packages-@.service <<EOF [Unit] Description=Write list of installed packages to /etc/packages/%i StartLimitIntervalSec=900 StartLimitBurst=4 [Service] Group=oswat Type=oneshot StandardOutput=truncate:/etc/packages/%i ExecStart=apt-mark show%i EOF systemctl enable packages-@manual.path systemctl enable packages-@install.path