#language en
#refresh 999999
## nearly two weeks until an update occurs

[[TableOfContents(2)]]

= Overview =

== Basic data ==

|| Hostname || `gs2.fluid.tuwien.ac.at` ||
|| Model || [https://www.supermicro.com/en/products/motherboard/X10SRW-F Supermicro X10SRW-F] S/N: NM154S015315||
|| Purpose || graphics server ||
|| Operating system || debian ||
|| Management interface || http://mgs2.fluid.tuwien.ac.at ||
|| Authentication options || TU password ||

== Hardware ==
|| CPU || [https://ark.intel.com/content/www/us/en/ark/products/82763/intel-xeon-processor-e51620-v3-10m-cache-3-50-ghz.html Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores)]; Socket: FCLGA2011-3 ||
|| RAM || 32 GiB; up to 256 GB DDR4-2400MHz ||
|| Storage || 500 GB (/) Samsung SSD 850 EVO 500GB ||
|| Graphics card || !GeForce GTX 960 ||
|| BMC || AST2400 controller ||
|| Motherboard battery type || CR2032 ||

== Firmware ==
|| BIOS || Version 3.4, Build Date 2021-06-05 ||
|| BMC  || 

User's manuals for [:gs1?action=AttachFile&do=get&target=MNL-1570.pdf: motherboard/BIOS] and [:gs1?action=AttachFile&do=get&target=IPMI_Users_Guide.pdf: BMC/IPMI].

== Configuration ==
All customized configuration files are usually marked by group `oswat`, sometimes also user `oswat`,[[BR]]
`find /etc -user oswat -o -group oswat`

== BIOS ==
press DEL to enter BIOS, F11 for boot menu

== Admins ==
 * Thomas Loimer
 * Rudolf Ladner (ZID)

= Firmware update =

== Baseboard Management Controller (BMC) ==

Update firmware, because newer version provides iKVM/HTML5 virtual console.[[BR]]
Initially, IP Address of BMC was set to static 128.131.183.xxx - needed to  go to the server room and access BMC from the console.

On 2024-04-24, download firmware BMC_X10AST2400-32M_20210528_03.93_STD.zip from
https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BMC [[BR]]

Unzip, trying to dump current firmware with binary `AlUpdate` contained in zip-file resulted in core dump.[[BR]]
Log in into GUI of BMC -> Maintenance -> Update Firmware[[BR]]
upload exactly 32 MiB file BMC_X10AST2400-32M_20210528_03.93_STD.bin
'''Uncheck''' box `Preserve configuration`; Network settings thankfully remain.

== BIOS ==

Download firmware on 2024-04-24 from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BIOS,
file X10SRW1.605.zip, unzip.
BIOS update needs an activation key, get one by using the tool from https://github.com/bwachter/supermicro-ipmi-key.[[BR]]
Generate activation key, `./supermicro-ipmi-key 0c:c4:7a:37:57:9d`, output: `90d4 cdb7 ab21 0cf7 33d0 96fa`.
Log in into GUI of BMC -> BIOS Update, Choose file (exactly 16 MiB) `X10SRW1.605`, uncheck any preserve-boxes (ME region, NVRAM, SMBIOS).
Click Start Upgrade.

=== Settings ===

Advanced -> PCIe/PCI/PnP Configuration:[[BR]]
`RSC-R1UW-E8R SLOT1 PCI-E X8 OPROM`, `RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM`, `RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM`: Set type to `EFI`, was `Legacy`. [[BR]]
`Onboard LAN OPROM Type`: `EFI`, was `Legacy`.

Boot: Set boot type to `EFI`, was `Dual`.


= Installation of the base system (2024-04-29) =

Boot - the only boot media present is PXE booting - choose[[BR]]
Linuxe Network Installs -> Debian -> Text Based Install

== Debian Installer ==
 Language:  C - no localization[[BR]]
 Select your location: Europe -> Austria[[BR]]
 keymap to use: American English (since this is the keymap on the virtual iKVM/HTML5 keyboard)[[BR]]
 Configure the network: eno1 (yields a dhcp address during installation)
  -> hostname: gs2[[BR]]
  -> domain name: fluid.tuwien.ac.at[[BR]]
 Choose a mirror of the Debian archive: enter information manually[[BR]]
  -> mirror hostname: gd.tuwien.ac.at[[BR]]
  -> mirror directory: /opsys/linux/debian[[BR]]
  -> proxy information: (blank)[[BR]]
 Set up users and passwords:
  -> root password: ***[[BR]]
  -> Full name for user account: (blank)[[BR]]
  -> username: oswat[[BR]]
  -> Password for the new user: (same as root)[[BR]]
 Partition disks:[[BR]]
  -> Guided - use entire disk[[BR]]
  -> Select disk to partition: SCSI5 (0,0,0) (sda) - 500.1 GB ATA Samsung SSD 850[[BR]]
  -> All files in one partition ... then, change partition to[[BR]]
    #1 267.4 MB  B f ESP efi_fs  EFI System Partition, bootable (choose 265 MiB)[[BR]]
    #2 465 GB     f ext4 root_fs  /[[BR]]
    #3  34.8 GB   f swap [[BR]]
 Configuring popularity-contest: Yes[[BR]]
 Software selection: (nothing except)[[BR]]
  [*] SSH server[[BR]]
  [*] standard system utilities[[BR]]
 Reboot

== Installation of the base system ==

Log in, set up the base system
{{{
ssh oswat@dhcp1 (the temporary address)

cat >/etc/systemd/network/20-gs2.network <<EOF
[Match]
Type=ether

[Network]
Description=Static ethernet connection
Address=128.130.169.115/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF

# remove legacy network stack
apt purge ifupdown && systemctl start systemd-networkd
}}}

After that, the shell freezes, kill ssh, log in again,

{{{
ssh oswat@gs2
su - # change to root
# append my public key to .ssh/authorized_keys
# scp ed25519.pub >~/.ssh/authorized_keys
systemctl enable systemd-networkd
# do not install recommended packages
echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false
chgrp oswat /etc/apt/apt.conf.d/90recommended_false
# although here recommended packages are useful
apt install sytemd-resolved
apt install libnss-myhostname libnss-resolve
}}}


Debian bookworm (12.0) was installed on the 500 GB SSD, one partition (≈100 MB) for the efi (/boot/efi),
the reminder of the disk for root (/), ext4 filesystem.
The file systems were labelled, `root_fs` and `home_fs`.[[BR]]
While in the debian installer, ssh-server was chosen, no localications, only C and C.utf8.[[BR]]
Install grub2 as bootloader; The kernel efi-stub needs a commandline (root=/dev/sda2 initrd=\EFI\debian\initrd.img),
no way to set that from the BIOS.[[BR]]
Had to create an administrative user: oswat, the home directory is `/opt/oswat`!

== Partitioning ==
|| /dev/sda   ||<style="text-align: right;"> 500 GB || || ||
|| /dev/sda1  ||<style="text-align: right;">  94 MB || /boot/efi || vfat ||
|| /dev/sda2  ||<style="text-align: right;"> 500 GB || / || ext4 ||
|| /dev/sdb+c ||<style="text-align: right;"> 2 TB || /home || btrfs-raid1 ||

== Network ==
{{{
echo gs1 >/etc/hostname
}}}

Note, the resolver (Domains=) and NTP-server is set per interface, see below.
This keeps the configuration in one file.
{{{
cat >/etc/systemd/network/10-gs1.network <<EOF
[Match]
MACAddress=0c:c4:7a:69:5a:20

[Network]
Description=Static ethernet connection
Address=128.130.169.110/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF
}}}

Remove legacy ifupdown, use ntp.
{{{
apt install systemd-resolved systemd-timesyncd
apt purge ifupdown
}}}

== File systems ==
{{{
apt install btrfs-progs zstd
# create a btrfs-raid1 for data (-d) and medatadata (-m) from /dev/sdb and /dev/sdc
mkfs.btrfs -f -L home_fs -d raid1 -m raid1 /dev/sdb /dev/sdc

cat >>/etc/fstab <<EOF
# / was on /dev/sda2 during installation
LABEL=root_fs   /               ext4    noatime,errors=remount-ro 0       1
# /boot/efi was on /dev/sda1 during installation
UUID=5AA6-2350  /boot/efi       vfat    umask=0077                0       1
LABEL=home_fs   /home           btrfs   compress=zstd             0       2
EOF
}}}

== Installation sources ==

{{{
cat >/etc/apt/sources.list <<EOF
# Most preferred sources are listed first, see man sources.list(5)

deb http://gd.tuwien.ac.at/opsys/linux/debian bookworm main non-free contrib
deb-src http://gd.tuwien.ac.at/opsys/linux/debian bookworm main non-free contrib

# The fallback solution, if gd.tuwien does not work
deb http://deb.debian.org/debian bookworm main non-free contrib
deb-src http://deb.debian.org/debian bookworm main non-free contrib

deb http://security.debian.org/debian-security bookworm-security main contrib non-free
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free

# bookworm-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib non-free
deb-src http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib non-free
deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free
EOF
}}}

Do not install, by default, recommended packages.
{{{
echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false
}}}

== User access ==

=== sshd customization ===
Do not forward the client's locale, since there is only C/POSIX on gs1.
Also, there is no sudo, allow root to login.
{{{
echo "PermitRootLogin yes" >/etc/ssh/sshd_config.d/permitrootlogin.conf

apt install patch
patch <<EOF
--- /etc/ssh/sshd_config.orig	2023-04-12 16:19:45.904116844 +0200
+++ /etc/ssh/sshd_config	2023-03-29 10:20:37.697903087 +0200
@@ -109,7 +109,7 @@
 #Banner none

 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+#AcceptEnv LANG LC_*

 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
EOF
}}}

=== Allow all members of E322 to log in ===

{{{
# see https://arthurdejong.org/nss-pam-ldapd/
apt install libnss-ldapd libpam-ldapd nscd

# here is the entire /etc/nslcd.conf file
# some options in the first 20 lines might be set at installation time
cat >/etc/nslcd.conf <<EOF
#
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://dc.intern.tuwien.ac.at

# The search base that will be used for all queries.
base ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw **<confidential>**

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

# Here ends the shipped configuration file, customisation starts ...

base	passwd	ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base	shadow	ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base	group	ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at

# Mappings
filter	passwd	(memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map	passwd	uid		sAMAccountName
map	passwd	uidNumber	employeeID
map	passwd	gecos		cn
map	passwd	homeDirectory	"/home/${sAMAccountName}"
map	passwd	loginShell	"/bin/bash"
map	passwd	gidNumber	"2153"


filter	shadow	(memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map	shadow	uid		sAMAccountName

filter	group	(cn=E322*)
map	group	userPassword	""
map	group	gidNumber	objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF
}}}

Do not forget to have users have a home directory,
{{{
pam-auth-update mkhomedir
# Installation of libpam-ldapd most probably runs
# pam-auth-update ldap
}}}

== Enable hibernation ==

Create a swap file (not a swap partition), enable swap and
modify the kernel command line to search for a RAM image.[[BR]]
Use `filefrag` to get the offset of the swap file.[[BR]]
It is not necessary to modify `etc/initramfs-tools/conf.d/resume`.
{{{
touch /swap
chmod 600 /swap
dd if=/dev/zero of=/swap bs=1M count=32768
filefrag -v /swap | head
# Use the number in the first row, first column of the "physical offset:" columns.
# This number has two dots appended (here: 202752..).
echo GRUB_CMDLINE_LINUX_DEFAULT=\"resume=PARTLABEL=root_partition resume_offset=202752\" \
    >/etc/default/grub.d/resume.cfg
echo "/swap    swap    swap    defaults    0    0"  >>/etc/fstab
}}}

== Mark customized files ==

{{{
cd etc
chgrp oswat hostname fstab apt/sources.list apt/apt.conf.d/90recommended_false \
    systemd/network/10-gs1.network sshd_config sshd_config.d/permitrootlogin.conf \
    default/grub.d/resume.cfg
chown oswat nslcd.conf
}}}