#language en
#refresh 999999
## nearly two weeks until an update occurs

[[TableOfContents(2)]]

= Overview =

== Basic data ==

|| Hostname || `gs2.fluid.tuwien.ac.at` ||
|| Model || [https://www.supermicro.com/en/products/motherboard/X10SRW-F Supermicro X10SRW-F] S/N: NM154S015315||
|| Purpose || graphics server ||
|| Operating system || debian ||
|| Management interface || http://mgs2.fluid.tuwien.ac.at ||
|| Operator credentials || user: e322 (@mgs2; allowed to power on/off gs2) ||
||          || !Re2300PrandtlTaylor ||
|| Authentication options || TU password ||

== Hardware ==
|| CPU || [https://ark.intel.com/content/www/us/en/ark/products/82763/intel-xeon-processor-e51620-v3-10m-cache-3-50-ghz.html Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores)]; Socket: FCLGA2011-3 ||
|| RAM || 32 GiB; up to 256 GB DDR4-2400MHz ||
|| Storage || 500 GB (/) Samsung SSD 850 EVO 500GB ||
|| Graphics card || !GeForce GTX 960 ||
|| BMC || AST2400 controller ||
|| Motherboard battery type || CR2032 ||

== Firmware ==
|| BIOS || Version 3.4, Build Date 2021-06-05 ||
|| BMC  || Version 03.93, Build Date 2021-05-28 ||

User's manuals for [:gs1?action=AttachFile&do=get&target=MNL-1570.pdf: motherboard/BIOS] and [:gs1?action=AttachFile&do=get&target=IPMI_Users_Guide.pdf: BMC/IPMI].

== Configuration ==
All customized configuration files are usually marked by group `oswat`, sometimes also user `oswat`,[[BR]]
`find /etc -user oswat -o -group oswat`

== BIOS ==
press DEL to enter BIOS, F11 for boot menu

== Admins ==
 * Thomas Loimer
 * Rudolf Ladner (ZID)

= Firmware update =

== Baseboard Management Controller (BMC) ==

Update firmware, because newer version provides iKVM/HTML5 virtual console and
[https://en.wikipedia.org/wiki/Redfish_(specification) Redfish].[[BR]]
Initially, IP Address of BMC was set to static 128.131.183.xxx - needed to  go to the server room and access BMC from the console.

On 2024-04-24, download firmware BMC_X10AST2400-32M_20210528_03.93_STD.zip from
https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BMC [[BR]]

Unzip, trying to dump current firmware with binary `AlUpdate` contained in zip-file resulted in core dump.[[BR]]
Log in into GUI of BMC -> Maintenance -> Update Firmware[[BR]]
upload exactly 32 MiB file BMC_X10AST2400-32M_20210528_03.93_STD.bin
'''Uncheck''' box `Preserve configuration`; Network settings thankfully remain.

== BIOS ==

Download firmware on 2024-04-24 from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BIOS,
file X10SRW1.605.zip, unzip.
BIOS update needs an activation key, get one by using the tool from https://github.com/bwachter/supermicro-ipmi-key.[[BR]]
Generate activation key, `./supermicro-ipmi-key 0c:c4:7a:37:57:9d`, output: `90d4 cdb7 ab21 0cf7 33d0 96fa`.
Log in into GUI of BMC -> BIOS Update, Choose file (exactly 16 MiB) `X10SRW1.605`, uncheck any preserve-boxes (ME region, NVRAM, SMBIOS).
Click Start Upgrade.

=== BIOS Settings ===
Advanced -> PCIe/PCI/PnP Configuration: [[BR]]
 `RSC-R1UW-E8R SLOT1 PCI-E X8 OPROM`, `RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM`, `RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM`: Set type to `EFI`, was `Legacy`. [[BR]]
 `Onboard LAN OPROM Type`: `EFI`, was `Legacy`.[[BR]]
 Boot: Set boot type to `EFI`, was `Dual`.


= Installation of the base system (2024-04-29) =

Boot - the only boot media present is PXE booting - choose[[BR]]
Linuxe Network Installs -> Debian -> Text Based Install

== Debian Installer ==
 Language:  C - no localization[[BR]]
 Select your location: Europe -> Austria[[BR]]
 keymap to use: American English (since this is the keymap on the virtual iKVM/HTML5 keyboard)[[BR]]
 Configure the network: eno1 (yields a dhcp address during installation)
  -> hostname: gs2[[BR]]
  -> domain name: fluid.tuwien.ac.at[[BR]]
 Choose a mirror of the Debian archive: enter information manually[[BR]]
  -> mirror hostname: gd.tuwien.ac.at[[BR]]
  -> mirror directory: /opsys/linux/debian[[BR]]
  -> proxy information: (blank)[[BR]]
 Set up users and passwords:
  -> root password: ***[[BR]]
  -> Full name for user account: (blank)[[BR]]
  -> username: oswat[[BR]]
  -> Password for the new user: (same as root)[[BR]]
 Partition disks:[[BR]]
  -> Guided - use entire disk[[BR]]
  -> Select disk to partition: SCSI5 (0,0,0) (sda) - 500.1 GB ATA Samsung SSD 850[[BR]]
  -> All files in one partition ... then, change partition to[[BR]]
    #1 267.4 MB  B f ESP efi_fs  EFI System Partition, bootable (choose 265 MiB)[[BR]]
    #2 465 GB     f ext4 root_fs  /[[BR]]
    #3  34.8 GB   f swap [[BR]]
 Configuring popularity-contest: Yes[[BR]]
 Software selection: (nothing except)[[BR]]
  [*] SSH server[[BR]]
  [*] standard system utilities[[BR]]
 '''Reboot'''

== Network ==

Remove legacy ifupdown, use systemd-networkd and systemd-resolved.

{{{
ssh oswat@dhcp1 # Log in to the temporary address

# some network details are already set
chgrp oswat /etc/hostname

# the static IP address
cat >/etc/systemd/network/20-gs2.network <<EOF
[Match]
Type=ether

[Network]
Description=Static ethernet connection
Address=128.130.169.115/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF

chgrp oswat /etc/systemd/network/20-gs2.network

# remove legacy network stack
apt purge ifupdown && systemctl start systemd-networkd
}}}

After that, the shell freezes, kill ssh, log in again,

{{{
ssh oswat@gs2
su - # change to root
systemctl enable systemd-networkd
# systemd-resolved is supposed to have DNS caching,
# use it instead of a manual /etc/resolv.conf file
apt install systemd-resolved
# these are packages recommended by systemd-resolved; here they are useful
apt install libnss-myhostname libnss-resolve

# append my public key to .ssh/authorized_keys
# scp ed25519.pub >/root/.ssh/authorized_keys
}}}

== Package sources ==

Use the local mirror gd.tuwien.ac.at, as entered during installation.[[BR]]
Do not install recommended packages.

{{{
chgrp oswat /etc/apt/sources.list

echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false
chgrp oswat /etc/apt/apt.conf.d/90recommended_false
}}}

== Have sshd not accept user's environment ==

Do not forward the client's locale, since there is only C/POSIX on gs1.
{{{
apt install patch
patch /etc/ssh/sshd_config <<EOF
--- /etc/ssh/sshd_config.orig	2023-04-12 16:19:45.904116844 +0200
+++ /etc/ssh/sshd_config	2023-03-29 10:20:37.697903087 +0200
@@ -109,7 +109,7 @@
 #Banner none

 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+#AcceptEnv LANG LC_*

 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
EOF

chgrp oswat /etc/ssh/sshd_config
}}}

== Allow all members of E322 to log in ==

{{{
apt install libnss-ldapd libpam-ldapd nscd  # additionally installs nslcd
}}}

Configuring nslcd: [[BR]]
LDAP server URI: ldaps://dc.intern.tuwien.ac.at[[BR]]
search base: ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at[[BR]]
check server's SSL certificate: never[[BR]]
Name services to configure (etc/nsswitch): passwd, group, shadow[[BR]]

{{{
cat >>/etc/nslcd.conf <<EOF
#
# CUSTOMIZATION
#

# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw ***

base	passwd	ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base	shadow	ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base	group	ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at

# Mappings
filter	passwd	(memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map	passwd	uid		sAMAccountName
map	passwd	uidNumber	employeeID
map	passwd	gecos		cn
map	passwd	homeDirectory	"/home/${sAMAccountName}"
map	passwd	loginShell	"/bin/bash"
map	passwd	gidNumber	"2153"

filter	shadow	(memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map	shadow	uid		sAMAccountName

filter	group	(cn=E322*)
map	group	userPassword	""
map	group	gidNumber	objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF

# create home directories on first login
pam-auth-update --enable mkhomedir

# Login message
cat >/etc/motd <<EOF
Welcome to gs2.fluid.tuwien.ac.at

This computer is available for all members of the Institute
of Fluid Mechanics and Heat Transfer. By default, you belong
to group E322 and everybody can read your files. Issue the
command `umask 077` if you want to keep your files private.
EOF

chgrp oswat /etc/nslcd.conf /etc/motd
systemctl restart nslcd
}}}

== Hibernation ==

Hibernate after 72 hours idle time. Download loadavgd-1.1.tar.xz from [https://sourceforge.net/projects/loadavgd sourceforge],
compile and install. Compilation was done on a different machine.[[BR]]
With a swap partition, hibernation works without further customization.

{{{
wget https://downloads.sourceforge.net/project/loadavgd/loadavgd-1.1.tar.xz
# unpack and compile, see README
cp loadavgd		/usr/local/sbin/
cp loadavgd.conf	/etc/
cp loadavgd.service	/etc/systemd/system/
cp loadavgd.8.gz	/usr/local/share/man/man8/
patch -p1 /etc/loadavgd.conf <<EOF
diff -u old/loadavgd.conf new/loadavgd.conf
--- old/loadavgd.conf	2024-05-13 10:50:25.589751201 +0200
+++ new/loadavgd.conf	2024-05-13 10:50:30.133860741 +0200
@@ -12,10 +12,10 @@
 # the number of intervals times the duration of an interval.
 # Currently, must be one of "Suspend", "PowerOff", "Halt", "Hibernate",
 # "HybridSleep", or "SuspendThenHibernate".
-#action = Suspend
+action = Hibernate

 # How many intervals the computer must be idle before the action is taken.
-#intervals = 8
+intervals = 288

 # Duration of one interval.
 # Must be 1 for 1 minute, 2 for 5 minutes, or 3 for 15 minutes
EOF
systemctl enable loadavgd
chgrp oswat /etc/loadavgd.conf
}}}

== Backup configuration (/etc) ==

Create user gs2-root``@b.fluid.tuwien.ac.at,
see the description to backup users on page [:b#head-29e0241aee32b3fdff1537d700f933e4d0e8f8d3: b].[[BR]]
Create a ssh-key, copy the public part to ~gs2-root@b/.ssh/authorized_keys,
copy the backup scripts to /opt/backup_scripts and create a cron job for periodic backup.
On b, create a cron-job to prune the backups, again see page [:b#head-29e0241aee32b3fdff1537d700f933e4d0e8f8d3: b].

{{{
ssh-keygen -q -t ed25519 -N "" -f ~/.ssh/id_ed25519
# Copy the key to b. root is not allowed to log in, copy via a regular user
{ echo -n 'command="borg serve --restrict-to-path /mnt/backup",restrict '; cat .ssh/id_ed25519.pub; } \
    | ssh tloimer@b "cat >/tmp/authorized_keys"
# as root on b, copy authorized_keys to its final destination
root@b$ install -m 600 -o gs2-root -g gs2-root /tmp/authorized_keys /mnt/backup/gs2/.ssh/ \
    && rm /tmp/authorized_keys
# daily backup
git clone  oswat@b.fluid.tuwien.ac.at:backup-scripts.git /opt/borgscripts
cat >>/etc/cron.d/borg-backup <<EOF
30 05 * * * root systemd-cat /opt/borgscripts/borg-backup /etc gs2-root@b:.
EOF
chgrp oswat /etc/cron.d/borg-backup
apt install borgbackup
}}}

Write a list of manually (manual) and all (install) installed packages to /etc/packages.[[BR]]
This is done by creating systemd templates that effectively do `apt-mark showinstall >/etc/packages/install` and
`apt-mark showmanual >/etc/packages/manual` each time /var/log/apt/history.log is modified.

{{{
mkdir /etc/packages
chgrp oswat /etc/packages
cat >/etc/systemd/system/packages-@.path <<EOF
[Unit]
Description=Monitor apt log file

[Path]
PathChanged=/var/log/apt/history.log

[Install]
WantedBy=multi-user.target
EOF

cat >/etc/systemd/system/packages-@.service <<EOF
[Unit]
Description=Write list of installed packages to /etc/packages/%i
StartLimitIntervalSec=900
StartLimitBurst=4

[Service]
Group=oswat
Type=oneshot
StandardOutput=truncate:/etc/packages/%i
ExecStart=apt-mark show%i
EOF

systemctl enable packages-@manual.path
systemctl enable packages-@install.path
}}}