Contents

  1. Overview
    1. Basic data
    2. Hardware
    3. Firmware
    4. Configuration
    5. BIOS
    6. Admins
  2. Firmware update
    1. Baseboard Management Controller (BMC)
    2. BIOS
  3. Installation of the base system (2024-04-26)
    1. Partitioning
    2. Network
    3. File systems
    4. Installation sources
    5. User access
    6. Enable hibernation
    7. Mark customized files

Overview

Basic data

Hostname

gs2.fluid.tuwien.ac.at

Model

Supermicro X10SRW-F S/N: NM154S015315

Purpose

graphics server

Operating system

debian

Management interface

http://mgs2.fluid.tuwien.ac.at

Authentication options

TU password

Hardware

CPU

Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores); Socket: FCLGA2011-3

RAM

32 GiB; up to 256 GB DDR4-2400MHz

Storage

500 GB (/) Samsung SSD 850 EVO 500GB

Graphics card

GeForce GTX 960

BMC

AST2400 controller

Motherboard battery type

CR2032

Firmware

BIOS

Version 3.4, Build Date 2021-06-05

|| BMC ||

User's manuals for motherboard/BIOS and BMC/IPMI.

Configuration

All customized configuration files are usually marked by group oswat, sometimes also user oswat,
find /etc -user oswat -o -group oswat

BIOS

press DEL to enter BIOS, F11 for boot menu

Admins

Firmware update

Baseboard Management Controller (BMC)

Update firmware, because newer version provides iKVM/HTML5 virtual console.
Initially, IP Address of BMC was set to static 128.131.183.xxx - needed to go to the server room and access BMC from the console.

On 2024-04-24, download firmware BMC_X10AST2400-32M_20210528_03.93_STD.zip from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BMC

Unzip, trying to dump current firmware with binary AlUpdate contained in zip-file resulted in core dump.
Log in into GUI of BMC -> Maintenance -> Update Firmware
upload exactly 32 MiB file BMC_X10AST2400-32M_20210528_03.93_STD.bin Uncheck box Preserve configuration; Network settings thankfully remain.

BIOS

Download firmware on 2024-04-24 from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BIOS, file X10SRW1.605.zip, unzip. BIOS update needs an activation key, get one by using the tool from https://github.com/bwachter/supermicro-ipmi-key.[[BR]] Generate activation key, ./supermicro-ipmi-key 0c:c4:7a:37:57:9d, output: 90d4 cdb7 ab21 0cf7 33d0 96fa. Log in into GUI of BMC -> BIOS Update, Choose file (exactly 16 MiB) X10SRW1.605, uncheck any preserve-boxes (ME region, NVRAM, SMBIOS). Click Start Upgrade.

Settings

Advanced -> PCIe/PCI/PnP Configuration:[[BR]] RSC-R1UW-E8R SLOT1 PCI-E X8 OPROM, RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM, RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM: Set type to EFI, was Legacy.
Onboard LAN OPROM Type: EFI, was Legacy.

Installation of the base system (2024-04-26)

Debian bookworm (12.0) was installed on the 500 GB SSD, one partition (≈100 MB) for the efi (/boot/efi), the reminder of the disk for root (/), ext4 filesystem. The file systems were labelled, root_fs and home_fs.
While in the debian installer, ssh-server was chosen, no localications, only C and C.utf8.
Install grub2 as bootloader; The kernel efi-stub needs a commandline (root=/dev/sda2 initrd=\EFI\debian\initrd.img), no way to set that from the BIOS.
Had to create an administrative user: oswat, the home directory is /opt/oswat!

Partitioning

/dev/sda

500 GB

/dev/sda1

94 MB

/boot/efi

vfat

/dev/sda2

500 GB

/

ext4

/dev/sdb+c

2 TB

/home

btrfs-raid1

Network

echo gs1 >/etc/hostname

Note, the resolver (Domains=) and NTP-server is set per interface, see below. This keeps the configuration in one file. 

cat >/etc/systemd/network/10-gs1.network <<EOF
[Match]
MACAddress=0c:c4:7a:69:5a:20

[Network]
Description=Static ethernet connection
Address=128.130.169.110/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF

Remove legacy ifupdown, use ntp. 

apt install systemd-resolved systemd-timesyncd
apt purge ifupdown

File systems

apt install btrfs-progs zstd
# create a btrfs-raid1 for data (-d) and medatadata (-m) from /dev/sdb and /dev/sdc
mkfs.btrfs -f -L home_fs -d raid1 -m raid1 /dev/sdb /dev/sdc

cat >>/etc/fstab <<EOF
# / was on /dev/sda2 during installation
LABEL=root_fs   /               ext4    noatime,errors=remount-ro 0       1
# /boot/efi was on /dev/sda1 during installation
UUID=5AA6-2350  /boot/efi       vfat    umask=0077                0       1
LABEL=home_fs   /home           btrfs   compress=zstd             0       2
EOF

Installation sources

cat >/etc/apt/sources.list <<EOF
# Most preferred sources are listed first, see man sources.list(5)

deb http://gd.tuwien.ac.at/opsys/linux/debian bookworm main non-free contrib
deb-src http://gd.tuwien.ac.at/opsys/linux/debian bookworm main non-free contrib

# The fallback solution, if gd.tuwien does not work
deb http://deb.debian.org/debian bookworm main non-free contrib
deb-src http://deb.debian.org/debian bookworm main non-free contrib

deb http://security.debian.org/debian-security bookworm-security main contrib non-free
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free

# bookworm-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib non-free
deb-src http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib non-free
deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free
EOF

Do not install, by default, recommended packages. 

echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false

User access

sshd customization

Do not forward the client's locale, since there is only C/POSIX on gs1. Also, there is no sudo, allow root to login. 

echo "PermitRootLogin yes" >/etc/ssh/sshd_config.d/permitrootlogin.conf

apt install patch
patch <<EOF
--- /etc/ssh/sshd_config.orig   2023-04-12 16:19:45.904116844 +0200
+++ /etc/ssh/sshd_config        2023-03-29 10:20:37.697903087 +0200
@@ -109,7 +109,7 @@
 #Banner none

 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+#AcceptEnv LANG LC_*

 # override default of no subsystems
 Subsystem      sftp    /usr/lib/openssh/sftp-server
EOF

Allow all members of E322 to log in

# see https://arthurdejong.org/nss-pam-ldapd/
apt install libnss-ldapd libpam-ldapd nscd

# here is the entire /etc/nslcd.conf file
# some options in the first 20 lines might be set at installation time
cat >/etc/nslcd.conf <<EOF
#
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://dc.intern.tuwien.ac.at

# The search base that will be used for all queries.
base ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw **<confidential>**

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

# Here ends the shipped configuration file, customisation starts ...

base    passwd  ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base    shadow  ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base    group   ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at

# Mappings
filter  passwd  (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map     passwd  uid             sAMAccountName
map     passwd  uidNumber       employeeID
map     passwd  gecos           cn
map     passwd  homeDirectory   "/home/${sAMAccountName}"
map     passwd  loginShell      "/bin/bash"
map     passwd  gidNumber       "2153"


filter  shadow  (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map     shadow  uid             sAMAccountName

filter  group   (cn=E322*)
map     group   userPassword    ""
map     group   gidNumber       objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF

Do not forget to have users have a home directory, 

pam-auth-update mkhomedir
# Installation of libpam-ldapd most probably runs
# pam-auth-update ldap

Enable hibernation

Create a swap file (not a swap partition), enable swap and modify the kernel command line to search for a RAM image.
Use filefrag to get the offset of the swap file.
It is not necessary to modify etc/initramfs-tools/conf.d/resume. 

touch /swap
chmod 600 /swap
dd if=/dev/zero of=/swap bs=1M count=32768
filefrag -v /swap | head
# Use the number in the first row, first column of the "physical offset:" columns.
# This number has two dots appended (here: 202752..).
echo GRUB_CMDLINE_LINUX_DEFAULT=\"resume=PARTLABEL=root_partition resume_offset=202752\" \
    >/etc/default/grub.d/resume.cfg
echo "/swap    swap    swap    defaults    0    0"  >>/etc/fstab

Mark customized files

cd etc
chgrp oswat hostname fstab apt/sources.list apt/apt.conf.d/90recommended_false \
    systemd/network/10-gs1.network sshd_config sshd_config.d/permitrootlogin.conf \
    default/grub.d/resume.cfg
chown oswat nslcd.conf

gs2 (last edited 2024-05-15 09:20:10 by www)